23542300x80000000000000001047534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:07.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1C9B6BE3C5E934408DC352B84B5ECD,SHA256=F57871557DA996981DC1246C9CF8F111D3F39A1C71AEDC5EE2B43417540BDC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:07.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0781A4739216AC555F765B411CC589,SHA256=C46C4974D8AD37227B368708D2FD1AE20F1B806A8C7F19CAAF8DAE778ABF27E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:03.402{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:08.914{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0E703AFEA2A05EA585A428FC6F5F58,SHA256=345F5D9C2A43210B12581C0B8B04773160FD2EBDE0A7767AF8210C40A114E5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:08.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C828AC339764BB6D5D19F6635BE5E57,SHA256=EFD97F7FD29D501DE24304466A7B67741C8B9B6FF12F4DD369CDF16354DEF33F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:06.837{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:05.089{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-5823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:04.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59232-false10.0.1.12-8000- 23542300x80000000000000001047539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E311ADD4C87393F84AE04EC70B4FA76,SHA256=C284E786BDD12B79A35F94ED764DCD692F31A993A40FF706FB2696662D109503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:09.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556502AB8C04ED3C7584275E2E119674,SHA256=7C8E89B968F9BDA9EC9BADF13CE5EF40865D02E7A38B8D64B1890C158A717A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9144A2551EB9F632CC5F192AF737FFD9,SHA256=A3E6D0CA8DFB88D44BE4115E3572C3661412D507CE1CA0B09D91894C34D1E9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15AB9AE7E9EDECE0203E1007DA545EAA,SHA256=6ED4B6C613D614C891928AD87E85BC82A9588CF99FD15834EBF980D8B567EF52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:06.241{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:10.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC43EACCE9D8AD964E21638B00F2A97,SHA256=F0E0853DE7315C7C1860C5840612BA316F199E10B201A5C7819DA27F0B6B89DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077D0CF98CF9C5A396D428FD942ABBF8,SHA256=39EC5E6A70A101056C47333083F416746F5D2F88875BBAEE8F5A922045C43A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:07.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A994F91692A06932242412AF48753E3,SHA256=907E065A3EA9DF3296F838BADC1FC4BCB2D7E6F1C2DC91C6C52658D5A1730C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:11.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491AE56D8E44AA64F30F37DF80585235,SHA256=BF28D62F829453D030EA8B7A6475E93DA560C92825E0645825CB46476F6E9F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.983{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2158511CF0EEF0ABC8278181FB8F4C5,SHA256=C1AF886A5EB049FC621925C3B9CAF8CED8DC2B4176B9C5E180FAB17334A6FD04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.460{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1CEFD230FC28688A0563451D6D9BDC0C,SHA256=D2350E840995F854E6F93A905231E74111C3B5EF65BE0C1D7FEF3A70E9136C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=38773BA2AFB0063479B322D8ABEFA959,SHA256=C1E4FFD29D9CF3FCAD801209D669371C3712B13FC7F2EB78FD5522EF72772114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=75FBA73D30CB01CD0935AD11BF016B6A,SHA256=F5453DE7322AD3550119C95250C3760EA2F5472F909029ABB4063F465D6CB041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8A0A093FC365DEF032B5D76749498AA2,SHA256=AABA43E3699731B171D2534DE2C790BC3108EBEC52427BD728CE65BBBDF6E524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=22423C860C488BDC74B1D8F66E23CAB7,SHA256=080EF4CA12D1D8CD0191ADCE62141192F3433B4020DC75A33038AF3506F8C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=09558F87F5C3FB4E37FAB61E04E532F6,SHA256=033FAD5A242BB0A896EC4F71BB7D6390D66DC89B96143430DECC1F7105437E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9144A2551EB9F632CC5F192AF737FFD9,SHA256=A3E6D0CA8DFB88D44BE4115E3572C3661412D507CE1CA0B09D91894C34D1E9EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:08.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:12.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94A239EE9E7CC597665884D50141068,SHA256=238C8320A956858CF08753F8A0355C1583FAEB3EC85D0B2FC8717684D622475F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:12.335{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4295MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:13.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A2EDA80294AD691DDF595C3C7C7BA2,SHA256=7AC67CC75C0CC63636898A949D85A06C5A0A6EF7278B338DF94E3333541824D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:13.333{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4296MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:13.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44105EED7C7FBF31783E49E210587731,SHA256=0E7B38C8DEDACB5EEF1E5A4991B16638C6021E8D15876F171E38E74723EAA0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:13.405{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.205{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:09.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59233-false10.0.1.12-8000- 23542300x8000000000000000976020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:14.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC20C54A1AF9BAEAAA3BD1200238F52,SHA256=1EFF99F0EDC238A5D1BC13B34DF8100914B7F3C867AF9E83AC63D91B18839ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:12.740{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:14.050{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ECE3FBB24274BABC3244FADD6272B7,SHA256=822BA63B6D418BD52C732AF0792197E9CC5FB2EFD77CC83E3FE2A3222D1181CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F59D12B2B1DE7789C5F4A47B70174A2,SHA256=1604ABED58F6A4FA2E5F8775C7527B0F0A75D74BA884D533FCFEA101802DA3A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:12.034{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59234-false10.0.1.12-8089- 23542300x8000000000000000976022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DC3C4561157F58565552C38485F39FF,SHA256=93331ABD678669303772AADF34EA27B650AEC83B1A1ED5E1D55C28510BBB8037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D694FC6EA0D7619269D747379F99BBFE,SHA256=A29A83629C9B126FC53B21E166765E4C4B0CACB2E9BCEDC94AC81BF0343567DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F865EBBB942F59115B95E3D55D88F1,SHA256=776B169CB7120AC2031268B99E5E13B3D6A9AFCB2AA94247EFF7D574C22096A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:16.084{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47CD6AB90CCF57AFA74FB95397A24E9,SHA256=24C8B4F3DCAE484CBEE6636443886E21EF98278E78038210E250C736A12929F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.907{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49192-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.907{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49192-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001047559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0003D9371F54CE5797CE085DBA740,SHA256=04A7F5980227B3E5BC5BFEECDCF33F40CB70D46D520E9A63F9A4767F98216603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:14.381{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6668-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DC3C4561157F58565552C38485F39FF,SHA256=93331ABD678669303772AADF34EA27B650AEC83B1A1ED5E1D55C28510BBB8037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.092{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A414FEBB790E4F4E31078746B37E4,SHA256=75D808D2844D5C7D6D4D41BA3558FDA9379420A649BD4435F9E8FC3F1F0C2DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3E0A3A55EC5E63943EA9B8FF16E1F19,SHA256=CB9A8846B684F9040F76364960E3B58906B7CB99E55EC19FF10A9BD250324D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D435D015DF503AA03A29FDB67B88CA21,SHA256=2B1A47DB431475575816A19497835189B8457A71943ACAB423B0D7912E0B011A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.738{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59235-false10.0.1.12-8000- 23542300x8000000000000000976028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:18.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94C5F91A2D0FCA869B1E40F6AD82D59,SHA256=9FC85EB29ED93F26AE38EC6DC7976F2526E0817078791B7AF5A67C8D7CCFFA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:16.559{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:18.352{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05B388CBD7423BEDEC3508B27C4C557,SHA256=D500E566D2575BB947333A124CF3B480231AD03A7F0E4B1C61BC1E425824F8F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:16.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:19.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3776F57FBEDDDE60E07A8A64E5920E7F,SHA256=84278F2A80DCD134148F4395925E8E70638C2898D153E0DE9DC5253D0AE24F0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.960{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:19.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB24B653F6339218235EA024CBD59BF8,SHA256=F6037A8CBE4A5341183E548AF1EB2B486675E4F704BFC5FA9CE434DF63DE95AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.586{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:20.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F2E2B34E7410619EF29D2E913BE9A9,SHA256=80E0C1ADB333267D4BFDD8621EBDA43E7F5C1A82BE572B1B898C083D1C03E434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:20.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE72B48CC8F490DBBEF1AA89528FEAD3,SHA256=FFDEF284BC6E1E563CD91480A6E0F8E490771979C65296F00994D975F60C0E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:20.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688140870F6D281CCD1560BBB281866E,SHA256=91F13598716AF415C4FAB33F4DCFCCB5D720C05A07713A4F92752AA198A17A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:21.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3E0A3A55EC5E63943EA9B8FF16E1F19,SHA256=CB9A8846B684F9040F76364960E3B58906B7CB99E55EC19FF10A9BD250324D29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:20.173{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:21.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AD10F21A7B38A335E361E403ADD982,SHA256=6C23778DC4E61F2B4FEE4CC9FFD063590C888CA16CA1008878B0F9FC1EA772EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E15456AE4B173D54FCA19852320BEA,SHA256=426755EAECAF7DBF456BC78387EC311070C0D67E61CD370037388C94E0F62BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:22.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80D71DEC88CB5D285DA9B2735203EA,SHA256=2CD945974ABE75684D9CCA59ED7422A5A3CBED4C926448622BD4D0ACE5375D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:22.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3613E8935727E46AA9E64259513416,SHA256=B176DB2EBFAF955BDE93894441ABBC6745D0E44C173079D1B24C2FBB78C211E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:22.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=018A5F949C1D2EC19A34FCF68434FF6A,SHA256=5DBE2C44ACBBE27BF0CC35EC6A19B2A08F69BE54AA8A9421773735280B9E9D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:23.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557D9B2E3EF30A435BE4B38466FA9FC5,SHA256=97B2FB5B64684B71520DFB623E4F97A838D1899B1BCFF79A3756BA2825B1CB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:23.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D780B18ECB1B3EDF93374C796A836398,SHA256=9B07024B832D3DC7EBA8BF75B3762146CF18AEDB8516CB013B9AACCC3F637E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE94B30823A23202EB53CD82E2E85EDA,SHA256=102079E34FDE21E5F726B24E5DD76679A1E977A6D16E0EA2929F0CA5008706BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:24.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D082CBA01A7A82B48C7B99A564F961,SHA256=0BAF62BA590125934AB32BC5DBA9A7F94E83C2785BA8C0EA9592CC279E17309F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.737{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59236-false10.0.1.12-8000- 354300x80000000000000001047574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:23.957{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:25.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F55FC2946783EBE8697BE0E699F609,SHA256=E89AA029F972F7D8BF2DBC4BF34D2DBFB5DC1D799C1BCC76042F37CB7625C389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:25.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDC3FA06888FDFEB88BAFB10E18D5A0,SHA256=D14699117654FDB34DB4813B047D2B65D9D34A53A8DA05C08FC21B95C9F4B906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.989{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:25.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E16C2B9A985E18ED9ED5E275FB705316,SHA256=5197DF7332360921E299E30C552954700F187F105C26CCFA166ABCE86E017AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.937{69CF5F33-87EE-6151-6D79-00000000FD01}32562336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED199368330370DE5634D019A0E612EF,SHA256=AEAF6320544001D8E3814DE4212AAAE26B505E07965B6701DA11E8A0BEFCFEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:26.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B432CEAB6D819545E055F1ACC8B79E0F,SHA256=DC57CA0E4A654B08984E91242B4EDA825DDDFC2BD9DFED80B3B5D52D5D50AD60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.751{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000976058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.328{69CF5F33-87EE-6151-6C79-00000000FD01}34403792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.063{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:27.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7956E0B933991D7BC324BBE165C849,SHA256=AAB3A52F749DB92D034E785ED64A96F6473889E27743663BD203348E81AECFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.438{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B94C8AC33B05A12D7ACE2BF0F02A44DA,SHA256=263A956BD75F49EB86D49B9700FC6EB88ECCBE2173F9518764117C756A3486ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:28.548{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C5B710F316CF7850B05D3FAAB02D7C,SHA256=F4024B4806879DA318A367FEA5039C44FE4DDD1BD87AAC50667C0266DB4EA68D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.828{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.829{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DB1AFE94262D35785A91C2F03AA1CA8,SHA256=18125E21F326BE1DC758A9C4B5BDFFF6651569BFE661E2DDC2015ABA026A2E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.766{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.478{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3964-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.359{69CF5F33-87F0-6151-6F79-00000000FD01}16163652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.126{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861A92BB4204761B61CE5AF9FA6DE115,SHA256=002F849CF650681737A480CC1F9CDCA4F6FA0D35CAAB591139AF6502AE07C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:29.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD758FC5EFB0B6C3D2248F7CD2CF5C21,SHA256=8DF9F8B40C1F5F468DED5CD7C66547824DFFD248E810831D54F071E1F8A09215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB3C70B51A894AD13669C65D02E5B46,SHA256=0A6A2DCACB7AF5CE5BA2F95BBBFF27C01299278F00838725E2B1A5978B06B618,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.658{69CF5F33-87F1-6151-7179-00000000FD01}28483308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0BDB74D34C095DCD6F4A86018DDE54,SHA256=AC98A38A874A7112EBF4DF9B6791F9D61692B79262B4F97176A5C2686D59218D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.423{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:30.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F240C753257261CD152717CF417CFE76,SHA256=52E32E34B3058B4C596E81276079D34D0928365949DC83276D89A79CDA181E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.768{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59237-false10.0.1.12-8000- 354300x8000000000000000976140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.226{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16663-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87456DF929D5A598414D980F5049A51,SHA256=77EF132167842D8AD9DC882177B9D105BBFEBFD5BEFF1E9AE194F9C9B72278CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=188337D50D9E19815397EDDC1C201DBD,SHA256=A325AD0CD062781CBDCECF96F1A36662749E10FA938D49A3ED19051B336A92C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7BDAAC1E28D9995DAF78015B6910A8D8,SHA256=22BB2E747CF08516B1F754D84663423859C813947A339B6E9D52E3CF213CDC44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:29.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:31.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598E72E10C85A839759C20D36251CC70,SHA256=B18049381BB639C4C8794CB78A38BE311C238D8E49E5E23F3CAA6FF80AE98016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:31.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F178F6EBFC33F8D3E85403D064F021A,SHA256=AF98998B42D123B7108AE58FF6E372A081C4E5E047B3714E9348095EEE545C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64694599F570724D4CD9B910332F74E,SHA256=7CFDD8516AA4BCD99726EA122A00B1D9D108B1B27DBC24C71FBE806FBBD77902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:32.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6E8BB56E665A783A4CE2E58278F771,SHA256=412F2E601834A798F1B4775291530799A6D96D08B4F0F763E0EA89D0EB0D22E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-51754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.453{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB63556AFA47AA6485A7F20EC938ACF4,SHA256=22945093BB9AAB07EFB3CEA35AB9765E7CE0CD57683A56EFC489E4861F3ACD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D243157EA9C3B9BC5605C0A76CEBB82,SHA256=B35772D56269C459F97D44FB766A21B3ED6B32E9472244FBB8D8699E3BCE3ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:33.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F489F1C8A451DBE8314B84629DB83A6,SHA256=D93F6A4568F4DE2C5C1951C952FB0E8E289700500A64F26D1683230FA969C0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:33.745{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1097DB26BDBE923C40298564DC7C976,SHA256=08ACD43FFB59A02C14B72547AD86EE621ABED1AEA012E2CEB5F12B4CCDCECF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com57134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:33.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228256D54BC945B0EC9E5E23D1254E83,SHA256=A8FF15F1821462CCDC36483D2207C5C62E2D7B4F6BC3AAFD28610C1EA8CCEF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:34.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341F1C64E9BF4C50B4ACCF16C518A300,SHA256=86E2D9C363030248776408E50023D504D03B75BC2C09CB2CAAD43C1F4DE5738B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:34.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7286C7E7297752EE7312AB00B87F79,SHA256=9F5D9BBDE3FF7BE94D982445F804C2289728BF50DF7BE114268FDE3AF7E8167C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:35.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8972DCA17FDD23D81306B8D3DFB10172,SHA256=65F0F74B100FEC63A42589C9FE136EC763D1A9F8B9483B1F28DD0E9FB0AC88A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57063B2E219F7AB2A3ECCF835C4AE246,SHA256=0C92741988C52311F5B46C6B584E7C0160607F7B7662EE60B570597E00917612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.784{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59238-false10.0.1.12-8000- 354300x8000000000000000976151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.241{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9E219F527B00CB1292E723D2E0F8C4,SHA256=ECD35747BE2B2861C19B690AE7920A481FD6A9822D3CC270588B051D3F2DCC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.363{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.828{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C956856ED7599B1B9B96B08D8FF1FA06,SHA256=146535367DA59462823C3BAD2C0110E97B1771F3FED2E0204E5C9B779D34068A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.890{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.860{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EC625471CA9AE903AB58883E4E84708,SHA256=BE098F71950FDB59C5753727214F967416A3DCB187F9D03F28B5BE8C077E3EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880B5D76A9B8C97DE74B9E362AB1C653,SHA256=1A68A45F3072D87556C0C1772B0BE55FFD07816F794A077E5ED2437EBE0B8B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0151824DA34C4F6BFD56F5858188C476,SHA256=A8E24EE9E3FA1B7AA7C609643623BB5FBA987D0F766C65B63D3D54054D22510A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93030110D538C02AFEA7095DF3D62D2B,SHA256=33205A57AE6193B8FA57976B2545318994A6184DD09406B36817F11988B735A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:38.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F5FD83B86895EDBDB438BF669F6E58,SHA256=3A139763A0B314AE920970E738F6B05589A922763D83E595A34EB31A0A2B72B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:38.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF5328FEA2FE7450F4998E932FECF76,SHA256=2746508CF2621929DDDA232500D53740067DF3A32EDD11074B6068B9FCB8550A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.067{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61206-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.033{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001047592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.823{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.912{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A522C90FEB45C2F61A4CF548B53315,SHA256=C34BF1260F2171CA90CF0DB18637F0F067FE35988722178123FBD104AB0A525B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:39.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F6D879324F585FFC965DF3BDCB801,SHA256=3B5D758C657B9C1E2F3E4ABF3A7B154AAB3C91536556BCED642E70D75A18BEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:39.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC9257871CD52D846463C61E909CEE8,SHA256=189A3FADB1C1D4195C4159BD3AB2C19CADE29F7FF28F23FBFCCF3E25720B848F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0151824DA34C4F6BFD56F5858188C476,SHA256=A8E24EE9E3FA1B7AA7C609643623BB5FBA987D0F766C65B63D3D54054D22510A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.164{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2EA2251915F5C0845B43BABAB3019769,SHA256=8AD4648D657EFE816FF7B66AF2A086950ABB8C69F3718A6224109AB2C1E122FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.078{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:40.926{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B171FF1E45D889EBAAFB083B12F7506,SHA256=BF7410AB0E2E5DE1E88632C412A66455546DC9F4E61AE8C93D1BC67600DE200C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:40.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CE4A27CB9F0C8730CF916F7DDEBE66,SHA256=9AA5C26BCB8181428FE2A782DEECBE5AEF4935E9F1ED5D69A0D0E0DBC862262C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.822{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.101.135.90-59772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149CD4FB0CF23A926A559AE2ED6FCB9,SHA256=C552BCFB641A6BBF4DE20FA39D8E28008AC5175CF5B5B2D9CB0A722278E823F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:38.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59239-false10.0.1.12-8000- 23542300x8000000000000000976174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:41.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607451BABCD3C0A32E2BA4DFB8B3FA43,SHA256=08A28FBAF2EE0D17F20B5639626D85B3F584AEAF3BEE206BF7A99E6AD6E18EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:42.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46489CC13785A1A3825B09A6CDE3656D,SHA256=49A302F6A5FA2EFBA411BD23151612343C1BB092CF989C2D7195EEAB60EBFF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:42.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38A3E2F11832AF5F6AA8964412DA42F,SHA256=FE35485579DC6F741BB9F19BA9C58AB3A0DB3C3F0961288E520900C5A144C84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B27AF1374670769C32A29C711DF728E,SHA256=888C29B4063D1B3A19F6AA164D23949C7351E325AAC5E6A5E056D85754567A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CA954A1BC2D18F865CE8B3C12A7B90,SHA256=053B2AFA2E2208F311582FC42364917A17FB7D19F6A267AC4075FC86AAF0010A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:43.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E8866F591403C1864F71DF7D8ACD46,SHA256=0FA9D98C56E0FB21036BCFAD9162670E9ACFD51020BF07C0F75C1015F57682E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.701{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50950-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.342{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49CD77B96C83944B89F901DB37762E7C,SHA256=F683874FED20BA32DB0D58CD11B72CF809EC63A785DB79A4F5FCC759ABB6DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC86A64A5F62D8D3BE69D61A713700D1,SHA256=C9653DCF730614526BE5BBF50CAEB5DD554A1D259D7C45C0DDCB463DCC3D7B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:44.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4894F6D0635E9F20FBB02F0BC0A2F7ED,SHA256=723F3A9A542D16955DBA419A4E2942372F99F954030E9A419CCD4B1FB71E791A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.927{5EBD8912-8800-6151-DE79-00000000FC01}48607016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.747{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=328420F375BCAA341D020D35309FDD2A,SHA256=963757005956C5B89F26AB148659452C755355B46C0DD910C1B591E2289F7539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.737{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:40.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.326{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4296MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6141BAA364BC1E6975005FBEA5298E9,SHA256=478798054E2C7B6B0557514A62429FE935404B72108373EE58F060D960496D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07BE56189DA263FA8AF70A93156E6F,SHA256=9DC6DC583654256A926262593C896814F63A2AA4F76EE2EE6B05DB39A6DD6EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.726{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25FA5DF64C5115B2A68AB0CDEA9CE423,SHA256=BBFCD4368CDFE17FF3C4CEC2D5186FC9FEA40E44D1BF9EBC3EEDE6DB607EB575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.427{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56646E94DC7CA27D34C141FBFE31DDF7,SHA256=78DC2276E6B4365D9B3A7729ACC0F578555599C8FFD6644818B1E8C5F8FCF921,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.092{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.147{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.126{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F305F6662A8ABAA18A3D886387DF4D,SHA256=0747354B555EAB5783357E5D35948DB0EA1F99E57CDE98607F14BC7FEFFF4C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:46.340{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4297MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:46.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE866EE7000E78EB1C4CD30F48946D1D,SHA256=27AA5D52A3909CF22F35B05C29802B22E2813F15A7B7C3B2372025E77A4F9C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:47.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59847F7E91E8328AF638E5C313D9946B,SHA256=758B44A1BC1EF9D3362D8E4229CF918FD351C4DC99C6F38F4BC2E7662B126BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:47.067{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0FCDFA769160C45D2090C7546B1316,SHA256=7DD40B97B04E2CDE55CAF41950D96A35D585E3DD1224ECA486A6F1141922625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC0F392E2BD77D7A383D61760668880,SHA256=D6A571677F2614C2C85630D760AAB7082CE3AB8D243548B764581FAF0320FE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.843{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59240-false10.0.1.12-8000- 23542300x8000000000000000976188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4EE23C8F6B08ADFB9480C100E72FB4,SHA256=5900110C3C14714EB1F0BA803BA80910D0B53D52F6E3FC39A9A6A087E8220030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:48.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0623F870490B24FFB39E43039F3E64A2,SHA256=7891E890D29F9BAE865EEA265F8FB5C8F846497114C56DB09A4DEF916BFFBF93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.274{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45441-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:44.942{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:48.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517C6FFAA287CC9A90517717B97F4306,SHA256=A876C285A48B3BA78FA03CCBBE906A5BA69580A726273F5DE2AE38DE375BD3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.927{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:49.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFF91E2D040257339C21DAFDDF05EBC,SHA256=51D6C3A71D0DAA9651FB8CEEDC4E278B86DAE2CA020F5FECA5589A29B5FABEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1E9922D944D0085AAC6AF0808F18C00,SHA256=EC575F2EDBFD385F245808FCB329D5609CC1867BAAD3A107C0F288F1728BDB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.692{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F1089ED16F3839084180EDDCD5A2A1,SHA256=EF3446E97F0FE9A11236B1886F8FF51A8C251111E9A84A54519B8039443C11F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:50.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A34EED52F91A831F2316B0CB94061D5,SHA256=97A2BBC31C29C5A55AF75AFFD5BD0E62409C6089618D7B8C5FCCE684A0FB1564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:50.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DC05F824BA19FA7BE93E2D6160ED4,SHA256=794D590044731E13A25302923B0CC0154D00183157F86F010D81FFA0F5DE5E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:51.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE55BD6EF680EB04914922E3AEEC9846,SHA256=BF95D52228D7918D2099886D98C44558A047B023A49850673FBB0A7FA3152B9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57768DFBCF4F24B2C3EE1287470CA6A1,SHA256=2AFD7C6FB133665575BC49A004899EFA3EA9B0404AD7EFE03399090E6A10E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:52.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA6EB994A4F66C13383D11AF90C517,SHA256=96C240FE9FF2EDF92E2564634D4CBBBC066185067E5000C6D1A55CF09446D168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:52.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A71FC615FB10BCE9061ECD0F71F82A2,SHA256=938ABBE139FE970CAF0A15EF189649630823DCC6D1FAE5B00319BED3FAD550E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:53.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E7FCD9D42D9D062A9BB94640F9E08B,SHA256=0C6AC8374EE9702E5032C41C7D2EE48F889320F0CA109F643537AB68763A4387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:50.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59241-false10.0.1.12-8000- 23542300x8000000000000000976201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:53.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F46275730041E8874EA3D48EA5084A5,SHA256=BE810055A8AC00A602C13AB8F6541C1B4B74D9A41F1B486D1C50661A42D12170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.900{5EBD8912-880A-6151-E279-00000000FC01}6126116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.717{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:51.940{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96F7E19E88F4983E7EAAD9A2C915F38,SHA256=90A67DCCBE666DBBDB311F0D04F40EE1244C1E2AD182F133F3844EFE2F1A144C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.543{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.302{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-65399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:54.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D07F7BB593B825DA9014A39A48DAE3,SHA256=881E8827C46D82403191A24A9D6A9AE053C29AE57638FE19D5A9AE3BF1EC7AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.201{5EBD8912-880A-6151-E179-00000000FC01}54601056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.033{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:54.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F971871E47904941D398C56CD47E462,SHA256=1CCC85B7E9FA6B4D85565326579494A70434CE89DD42F85B356906B05FED550D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.617{5EBD8912-880B-6151-E379-00000000FC01}55523988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:53.736{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.416{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC93187AB28C1B2794FA88ECB22726A0,SHA256=79DB1164AD99A4D3BE80BA33FDBAB85B54F672BDD7E731EC7F0170BDFE0EDC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54746E5F837E971B2882CD38AE520070,SHA256=DD86064F3971E780AE63F36A331822BA18EE6DF2C5A8DDC24129735CEA502219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F71A61774769A3C1DD8D8DE78610A9,SHA256=5EE77537F07B28561EBCC8FA39DFC0A4A18DCD1123B198268832C136B28814D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DDC75917943FD2A26F7434FE7AF40F,SHA256=E64C93E2223CD8A7AEA9EEAFB524EAB53F116A08D94A223A17CF6B72925F5125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6449425B7C436EADE3EE0A4256EC0D,SHA256=C8646AF6E26FDC383C0A9DD003EA1E2201386655406FE7151990D31B6079652E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:56.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF8F53963317198AF04220ADBACEE09,SHA256=AAA5CF0A15047815F1C003058A9EF8224C96BA086CD51D0DA36A3AFADF0BFD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F71A61774769A3C1DD8D8DE78610A9,SHA256=5EE77537F07B28561EBCC8FA39DFC0A4A18DCD1123B198268832C136B28814D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.364{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC995D73A4B834F78BA6F722402FC57,SHA256=6F2A0FA39C664A7B98EAE533BEACB59B7D2BD4F35BB59C0129D7A36EA990610A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.102{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:57.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F227D79920CA69325980A199FB3B74FE,SHA256=9F68A813AABBF37D83C040B13D283F53E4B3197EE362A0DF25F830A0936AA7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C524BE0E76B2EC6311291CF98E8B9C,SHA256=3481B0EFD85F5011C7E1C87B979EA98389BC70315926912B22AE4AF2B102A981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.707{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.389{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61903-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.147{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59242-false10.0.1.12-8000- 354300x8000000000000000976213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.217{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:58.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA719FA2F990E26823476FFB79813E5E,SHA256=BFD0A57EEE41371F41D483FB70F6B9CCC265926301D4007CFF67A6826B058ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:58.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AD361131F358A50637068041DA0E27,SHA256=68C330C321A41B24F1FFC929249EFBB2069EA0EB175D090DF4F24ED401C22B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:59.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D20897047905CD6F387AA55A5D2165,SHA256=61AA9425DE482B3467109135202AEAF6A1AD672A7FC3767413FCE123B52BD9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:59.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E4E3D1821C7CA3042F17EDB0041E08,SHA256=B14D2D5F59051A3D316B4CCD3D7E200B87B6C5BFC53BBEC3BD7D7184B0C1F92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:00.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8132F0A42B628CCDB707290EC432A8,SHA256=C38B6577729E469B9359544042E4E7A2ECAF8EFAF5AADA39F703BD920D39FDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:00.628{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8936EF274D633C26FEC4E983684D9CC,SHA256=554D99C4219CC96A6D7B94B877F278D3BB9F953255490D3AB063AD0B66DB8E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:00.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1381FC0048A51DCCED0821BB0176B327,SHA256=BE6D2DC07ED28354AFB582657CCE50A47AC55CEBC14B937BD61E222A879D5D74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.837{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:01.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB84A1CD27850AE7FA6FB303A9C99CB,SHA256=2AACE4F306C321B1CDE2FF8DA85FBCED064CBD08C9219B66D847C83180F39163,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:59.161{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2ED0A2A56A4ED02A750DB34F64EDDF,SHA256=8DAB2CDF8FD69CC2607BE20A1E0D5FB7FC7CD490A2B65A14D349BC4FC866211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F0256F7ACA4A5563823158C51B1882,SHA256=1F9D3B8D1B4B4BE0AE77F9A9816058848481A7C70B80E7504EF024B021BA87D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.842{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681D9ACA852F7D52CE682C277826F3B2,SHA256=4A33B91FFC8B15D46167782683B7018A7AF4880AA5AF0C980494A8624FF6043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865C58A3696D88BDC5C63EAD83249B8A,SHA256=F7101B776A1510BFDA3AF5D0594F27D448E2685F1FA6F2928BE42BC9A1B2971F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:02.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDD8B8AD9C97C66AC076FC1D6734D0B,SHA256=CEDE2C9FECED025389F7FFC5DFB370AF5A3F37F111E2DB78059FFB8F8944D6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:03.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453A80FBC6E1FC2024C1471DC8774F14,SHA256=D3B2B4EFDDF0B2D8352DF2CB88D8A9DBBAF7EB27795AA67812B3BAB73B6DB859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:03.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C91BAF383089F1F41B15CBC29D72C4,SHA256=3AC0E45AA546DA8DBDC09BE055AD99A956D9E8154C0AF11E4DD32EF63749D273,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:01.204{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:04.709{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4ABC865A8A6DD86F8B4F698646588F,SHA256=123F06D11DA140BD516FB30E1811E5BCA539A207CE9FA18A809AD5D35E3F4D3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59243-false10.0.1.12-8000- 354300x8000000000000000976222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.298{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:04.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734ECB26B278D2BD6945F99BB697B66D,SHA256=5700390584E7395EA32D6276C1F1D98930A94A885A3E69098F68CC330A3190EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.849{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:05.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D10F25B02217C66408489168EC94283,SHA256=E2D18D51A0D4F3156F86A875A4E43C2B20C9071E00E31FC1FF8467AA997A9A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:02.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2ED0A2A56A4ED02A750DB34F64EDDF,SHA256=8DAB2CDF8FD69CC2607BE20A1E0D5FB7FC7CD490A2B65A14D349BC4FC866211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D0FF843051231D6B6957941174D21F,SHA256=ABB8966450156969E972494F2FE14CB802F3A843C35629C0FBEB2B66BE0E6E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:06.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284B145172A43815F71B5968AB1A832F,SHA256=DA0C10C8FA44A08F30034C04901BC7E374F30C05A40223A4510424A20C50B29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D6EBBA02459F5B1118DDA3420494CF,SHA256=B6FA79AB8972DF0DA12F7BF76498263E722EB9EF77DF5D9E81FE974898787016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BA074A58F27B8448034CA59140FA0C,SHA256=7F1F6975C346E14DA773CDE1130053C7CBABCA9CE83DA0809130F23B3D050CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:07.773{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4672179EAE0BE99DCBB5DD294A0DA0E,SHA256=2EF70581AF76EB05E3BA10C6490D3791AAB90523AEE493DA31C14F52B740F03A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB198234CEDA2BA44DF9569FC7D407A,SHA256=79207F0338EEFCCDD5575E9E5B72DA442CEA26FA62349008246A87A06BC521FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:08.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F917811010B78B436B9DE8AFC6165D,SHA256=3CDF342B852F0500689221F1C5D66B7345800B266F1F5886A4941EDE8211466F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DF407C56263A50E46BF1ED8AFE7DB6,SHA256=46688173A963803EABDB3C2F41117C7EC89AEE36A220252453412775D278997E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DB5E19BC41FDFCED35322A88517CDA,SHA256=17EAC49C1D93E4B6E7858AAB485698BE788B8ED17A71B0440CAD9F82E225691A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:04.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:09.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA818101FA3AE565AD951AEAB47DB5,SHA256=5BB4EFA219D105AAEDC487B3991431BD59C91B5AF5EDB6E249A6D6204E6618D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.544{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:09.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EA355ECAF63468BB43EE6DD7216BA1,SHA256=850CA62D520B90C0E0FD977F0AFC3600754427597E593B6BE43C712454CD02AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:10.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580AD0620C6BB08C6214209B44A029B7,SHA256=F93130981C7F252963C0D87998F67E17D8E51DBFD4D93E620741E0E6AAC51DA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59244-false10.0.1.12-8000- 23542300x8000000000000000976240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:10.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342A9E6A8E70C106F7311C235DB059BA,SHA256=7D8CD99956F273C7518E8E52BB7F39A10F7EEE4EBBB1E8282721DC65DDF0CC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:11.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36B4EAD08756F620DD67137C293AFEC,SHA256=FFB166C8D991C63518086366E9EA4E2ADF0ED1270DCF663A24DEBA233C1FC192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA23B3362C68561B31B5E69F56ACFFE7,SHA256=D93456AB46D0F668ACE936C9A30DD566110ABDBBA47DDC5C6D6CCA0608F29609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73136C97577DDD5CFBF1482B834E6F3,SHA256=E5B250637D3CADEA24346749AF71EC23526FAD811728E8F6D010CEC08DA2DE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:08.814{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:12.949{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC4878B255BA9998E4E4B3ACF862659,SHA256=6F2EDE2F65979104D2D7D1FF5B8CF334188DD805D801BC1C7B44C992E82BB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:12.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D362A6E0AD626CCFCA46252F28D6DE1,SHA256=AE1E14DE053E0EFDD64A081CBBA2DE6DA1462FDEE8773C2B1163A0D2D787469F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:12.834{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED904A7D23289D408294F72C53929E9A,SHA256=0FBD07D970362D6128BFB8420F6F269AC01AB4D53A8E46153F0B9AE4BAC3921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:13.869{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4296MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.435{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:14.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D97C9294DEDE15BF7AD7C327CB49E5A,SHA256=6D5EDB1E94D7B888365DE3A3B0F8EC4880A452FF2B1122C96BEC332B1C685B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.888{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4297MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.019{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9696D08BDABE6540328AB31F2CEF7459,SHA256=EE305A5A3E25BB0D858253548748DE6B4ECDD19FFC3BE4913141F255EEE8F24D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:12.064{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59245-false10.0.1.12-8089- 354300x8000000000000000976249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ABCEB32B87DC2F737974F3260C82BB,SHA256=A469A0733DCDDD27D42940C4F3A7D9CE82255BCA4D6A985B71088BE3A07B7925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FB307796755AC51AB61EC79A665E89,SHA256=1E5AAD23022D2B367B3E9A36F04D07238B95A72D59403E0B32D4BFA6BAABC906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67F2A6B58522C9A1D697F0FCC117BAA8,SHA256=081784FDE2FF23BF60639EDF86C51632AAEA21A4FA61C4F68212FB7826832DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E6B64FCDA1045CEE644DAFBA63DB89,SHA256=684639BE8AF496C69D4F3A4006C8730FACE490E7A3B5C3FE2CED05BDEBCEDA63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.725{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001047725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001047724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfc3a0f8.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E06E5CAF9A59FA624A4E5DEBBB4B3F7,SHA256=4BED7A7B0785F57FCAA0FD8D6C8EDD1E5B926D9897C81A429AA6A270A1D68EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:17.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C0D19CA84B7E96799E059809B9BA48,SHA256=B28B245DB8BFB4611E36C7E5BBB5A4FA586EF694DE4EDB522FA43597E25A6A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.925{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49205-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.925{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49205-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.614{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D69F92D5EEEA8BB1F71878A3E7D6755,SHA256=283D9FF67D97B9CB8ED67DDA23FED90B0B56B45705DBC80FC6B282A097FECE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5A54CC93EE18156FFF763A2B556852,SHA256=B761A20D9E82B022682B04FA4F94320F42D29FA25ECD8FACE7353CDCFFCE89AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970DFA2A99EE629787EC2D59575ECAC3,SHA256=E3B491C1F8FDB9177E8CEBE02A5A1163C0CF924FD21699856E1268711EB23865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59246-false10.0.1.12-8000- 23542300x8000000000000000976257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:18.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FB307796755AC51AB61EC79A665E89,SHA256=1E5AAD23022D2B367B3E9A36F04D07238B95A72D59403E0B32D4BFA6BAABC906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:18.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960EE30921BF5EE3AE40E9E06FEBB7E,SHA256=31E10B969294F4B018B4543197A2151A475D55C4D1ED15573A3D79A06A698EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:18.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0385D34AE4EC405A0487D4336BFF1AC9,SHA256=CD13FD79F959F67ABAA3BD8E3B7776CFBE00F218C9B25AA4181B68A8E97CF748,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:15.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415FAC7B1617AD34F72B556661A44083,SHA256=28231DF22E197EA2486766EEE82D947AEB92F3475E560CFBF3C1DA066A7D91B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.375{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001047735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.374{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=F0BCBF359DD9271C690803A1DD7B8B46,SHA256=B5B6D73FAA5C2DE2D4AE521207D32443608DE05D69694AB33F781B7BA8F6DB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.142{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C575C5D7B6FA3069E048701DF326F0,SHA256=E567C10C690003371F0D0E28521160E74F0F2082E4822A2B6409B848F2843852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:20.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=696152B36299607205516B162E0FE850,SHA256=E411E5920ACBDBB0DCF5C7B4B8F1AA4332FC651105C29490F8DC27E05ED2FCAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:17.879{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:20.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0058F3FC104BF314F4D161E923BFA7,SHA256=B646A7D3D80FEB10034BA46AC07F0041EF8815623107A1FB0187F537F24E2F2F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001047743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000001047742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000001047741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000001047740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b37e-0x19965d84) 13241300x80000000000000001047739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000001047738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x80000000000000001047737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:20.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C1A74FDE55D03752DF251A03E159A,SHA256=CB5FB844EB40B4852CB873CE3D85C8C6017568422497BB62AC1588F67BE232FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:21.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7AE42794D86B2DCEAB97DB700A3EF0,SHA256=43161BC2498BE21F151AA97A55FD7993A849D547B3E6D2ACC1A3CC679FABA0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805AAE71845D9EB7A1CDEAEADDE65865,SHA256=F4F9857F62A190E2DAF3B7861015CF596F2DAE8DE07401427F83142B43814B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08A4F7CC56CAB171C6DC6DE9E689FB73,SHA256=E051A465D3616CBE943B4DC8745B635DC5E2B084D86F62C13979FAB7336A06DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.900{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59247-false10.0.1.12-8000- 23542300x8000000000000000976264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E2A55C7D7DB80E70C0D5075F66B9A2,SHA256=ECC5DB6701BB466B392F4873114242FC819CE08EF3A9507488426603D35BC865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:22.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B3EB4C319CB51B04EC3335A9FE9222,SHA256=581647B436CA800BA79892507D621A3DFF6D1334D1428A4A3B152DFC9A89F21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:23.405{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548A094FAA7EC15B32F92B09841762A,SHA256=EC33E91DF2129E281969C1B38A597EA162A2C11AAF089AE708065CC9457A7576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.607{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.223{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44877F0055C754D146A6CB7C617F566F,SHA256=A713DFF6039B775894B8E938D6B5169EDF8C804C164D6641FBEFEE58B15A18DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4A016844E43DD9811588470009824E,SHA256=FF09017E8BB261895236CDEDA87A24F9B1588D138D21C154A56CFA179B86CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D69F92D5EEEA8BB1F71878A3E7D6755,SHA256=283D9FF67D97B9CB8ED67DDA23FED90B0B56B45705DBC80FC6B282A097FECE9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:20.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:24.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B9999B10F395BEAB14EBEC4DDA3068,SHA256=ADB2B9F9137234EF1537D43885F2D9C9DC57FDEA13AD86195E033219DCCC176D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.061{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:24.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3EBCFDBA561E2F34D7D10A419924A2,SHA256=41A5DEB07AF8B49B40DE173D96B1E29E1CBFCA01FCFC9910BCF7AAD3D44F212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:24.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA7BEDEDC95C035E652AF42B8680AE,SHA256=99BC9C6D59FF002924BE616EDBA4D272201C7C09801BB37A5F86522F0A410760,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.853{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.515{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65391-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:25.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2D28B4FBFA5CAE7E35076F9EB7765,SHA256=2FB77AD63192C20A01BC8629CE743664B51262E61A558BEAFB256C5B20355EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.906{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.268{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654F437FE8882E58BB61628DA6992CC3,SHA256=A70E0EF6149D1D674C623E214C011A2A436A32947360690224182CD4B78C2F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:26.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF50354C769EFA6B90A6A570A9035BA1,SHA256=337065C81DF609431C2A60781E98064CA8F9CC47E7EEEAB2968000D1469DE26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.952{69CF5F33-882A-6151-7479-00000000FD01}3656348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C352F332955F6671A2588F7D65C18452,SHA256=824E4BBF59AE45E70641E0E0CF7B42AC210742A61578A2CB370526BEF0287F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.516{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022701C1F1D6581E48F0B85B685FAD22,SHA256=8060AF56C4F2EFBC893A21816D6BD80B23ED3AAD7711C26511D258882896F7D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.233{69CF5F33-8829-6151-7379-00000000FD01}13163004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:27.321{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BC16BEF744DBAE7F42051C036BF6E8,SHA256=B6F4B217C4CB16AC9ADBC0345DC50A71B95F83421251A813D0D8C8B737CEE53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.499{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70FA0D5AF3FF5E97B3556561B2530F1,SHA256=A53CC882B6024A87922C1BA4EB477F89343E545E97E67199B768DBA69709BD7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.406{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CF6FC1A1491213E2F263D9BF3F94CC,SHA256=B2019B4CFFF63DCC6ED6AA9191B753551824ECEC4DC8423F537492009A1788BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.352{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DC5005C6161ED031115DC59A5BF646,SHA256=28080ADC0B6DC245D6E7C6D1C37794E7F97A5478CCB7B536BE29E1A02D52BF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:25.863{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000976348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.640{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59248-false10.0.1.12-8000- 354300x8000000000000000976334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.783{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-55823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9AC7A4EC829591C20C20CF724CBFA2,SHA256=B94FE5F507A846AE452FD9AB96D9B6F0F9F5D9D69997D31079E007E6F82B182F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.296{69CF5F33-882C-6151-7679-00000000FD01}888344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.093{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D45665A5A97A59D99F0A4E670F6578BA,SHA256=176D90E461BB8B761E5565DCA1BB7B9B99E84404D801D4DBABC548C90B62162A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1B31149C2F372AE4B2713F0147E83E,SHA256=E2BFD850A4373C3AEDA9B69BFF01C1633A1EB4FA03718D15624B04DCDF6271BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:29.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:29.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D189C928B9578792B2CEC2485C0F88B6,SHA256=B99C8C92BC872006CC13448D8E1F566FC0DC593A9C8ACD4582AE1001298D04F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.530{69CF5F33-882D-6151-7879-00000000FD01}15721748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.358{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.328{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F4D0E041A3AF420B15DB9D545A3F24,SHA256=51B009DF050204CB3FC0AEB5BABAA089AAAA17F046E110DA818D653C46CBB391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA5C06C26998CBC9B4A476978E0AD88,SHA256=96256F5CE8258782925E88011F15D2760D9D5363726A5720157129CA70024D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E45D3F90516025A1D739921D390CCF,SHA256=B11F7503C7E1311FE35F5F136D628FC258884A4A3E3ABEB6BCA120B616792388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4A016844E43DD9811588470009824E,SHA256=FF09017E8BB261895236CDEDA87A24F9B1588D138D21C154A56CFA179B86CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:31.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A97B75B37A7A5D633480EF58525A5B,SHA256=B71C2B87E689F7883D529B1533540E9362EEB68A2BB30EF4BE4DEE5066B7C75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B358908272D891D94EE21F1CE6A2AC0D,SHA256=A1AAEEBF545BDC2060083DEE061CF95BB160F7B1D7CB4A3759D48802100C4AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CBA003B9D12780F1E00B368480B02F17,SHA256=D169AE0ABC9A6175BC812B8302D5669AD3A25264880AC62E9AD53DE4FA60D932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=69ECE88C05AAEFEAFB973816ABC83EAB,SHA256=FA329A45AF6E10B1289469D2A9828B39B5FE0E8ECE393EB87335D56D6EFE7D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F6D96F70967E41576DC81E0B1800B1E3,SHA256=E6900290D1E9F042A7DB0D18684BAF1570CB64568594BB7E42FED2682AD7580B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6A40B19543BDCB400FA681F1B6A5FF38,SHA256=CD2D2907CE6F50A774078C4D2F3FD3A3F1C3F9501CBD837CD5549C80D493E49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=13089060964BCDE28A5A40D7F74C7134,SHA256=9A5A7E2582A433E3A1CBD2CC589DDC582549D126553DF6EE494E3125ADD2DCCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.638{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.535{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FE53614D4DD49C843BFEFFDCE2E0D8AA,SHA256=22A7234DFF136E6AEB56566D8026E9A9735490A65D664037FCDC908C4CC9011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.535{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8E6F6BDCB6B25FF15D36EA9D0EF577,SHA256=C2AA4B7DF84541257BA51F9DD6EAF7EFA6E3C6469F522A76B320C3751C83EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:32.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD2B24DC6658A6CF437E6A3811B8457,SHA256=847019E3649EF28443FC9D2236AC6D80DBFCD4E52569C11D11E808FD4C530859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B6E7BE0F0C4E75A9B4A8C1DB9DC8215,SHA256=DAED3C86CDBE84CB4411D4E78749846DAF66A9ABA15D8A36E37C60539E9B5CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:33.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D1409A08E5A504EDF72071892A56C6,SHA256=21DA47B27F45F2D068696F60E8CD906D00A1F0812654AB7E26B22BF1C5D432E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:33.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E8C912A854D40E33388D630A794835,SHA256=FFD48F1D47EC70ACB71EEA753EFB4E70409F743BA4E6C52E7C0BF65A2E42A055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:34.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C812AD7ADF90EDDBA915BEC9DDC8E11,SHA256=55C4FC2125B3AE7A064792FA551F7496C14770232E34E430C372C3E5BF4EF422,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.861{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59249-false10.0.1.12-8000- 23542300x8000000000000000976374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:34.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030FE4D787FABB75DEF4733274F813CC,SHA256=2B5063FF0FDA9B73ACFCF3D0BE25FD0C7DBADDBF6E0ACE3EBE9D3A1933D01A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:35.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C161EE3F18BB54F36632F04F29D949FB,SHA256=70B04202AD68C059433B18A8C37C73F068CDFFD08BB86DEFC2936E5F05BE9448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CFD3C92BAC1083A673C4F08904A4A22,SHA256=728FACDADB0D6D681C9624257066B6B79B991A949A9446D7D14A9C9F756EB869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA129EC9E7D81196BD125FBE5428BD45,SHA256=417BB3613CB3ADC24C0DD38BA913C24F3B4EB158A1A2BC649189545320B778D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1075FFB752767959F040D93FFDD600B,SHA256=6DDC808A119CD751FCF1D63501004F81100C2B5F8BC00CD5CC9E04120D30DFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.385{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C4E2B63B190FD55E22352E80BEBA4E,SHA256=018884482B423466E51DF30CD7F427AE02ABA6C4731977B37F85935B6D39707C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E45D3F90516025A1D739921D390CCF,SHA256=B11F7503C7E1311FE35F5F136D628FC258884A4A3E3ABEB6BCA120B616792388,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:34.058{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53752-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBE1EE1CD4DC60029393FB25F9FAE53,SHA256=93904EA23221318BDF24E107F749BE6F46364A3031396C86A20898348491D9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.719{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.327{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4DC336A22C898F688C7742EB3F306B,SHA256=71F168B04D308DCF2CD2A81664827E796783A5A89B03E9EB5894D677365EF76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:37.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82C44696431A81D451EA42E033286C8,SHA256=91338715517774137763B423D5EEF366D745CE89E47DAA04680CCE8A923E0F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:38.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B90E682BDF9DF5CC4452C781DB3B6DC1,SHA256=851DFF16743D2C3D5D1A7EEBC99D4E5F268BF060FB459A2A2AF730F2899069F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:38.342{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF77C69057F17F3E2A9908F2A79E6D9,SHA256=F225E2701A66F2047B4047B4CAABA92AC9FC203A6CAC1643261A8D3CB1FF59B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.055{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001047818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:38.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2822B05514710A676081B236BBB6D7D9,SHA256=CC97B48F04232BDE6D94723F1A678E445F28FFC0C3819AD6D5212E681F296DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:39.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4BD80C75970FE3022C2ADCC2D9FC98,SHA256=9A9B585597FE389A0648C0A2B5E861A04C0D095E259664E20BA757205E45CA42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:37.753{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6373EF878AD2CA35FE7F7D4BEA45D6,SHA256=AF1C1EA8224BDCFFAA2A0CE8A7968835F3858EE20EA150F9899BB2EF52752F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.822{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.164{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=071499FD3A23D6C220041F410D7E4997,SHA256=158180F0F90DDEBE1B8846C2C0F708EA962FE3DABB74DA0AFE3BE1DD448E9634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:40.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63634AA65EFBA586574F929EF994F9B6,SHA256=9A91D57EDE6FEE39026F028298464AF269BA315A697B0311ED1F028D5BA2525A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.913{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C4E2B63B190FD55E22352E80BEBA4E,SHA256=018884482B423466E51DF30CD7F427AE02ABA6C4731977B37F85935B6D39707C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08824D6E71B1119BFC70AF907CE2EF9B,SHA256=10680AB9F0A962A535DDEA9C79D57878A4F7049C9CFEA70633BED2F297EC4B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59250-false10.0.1.12-8000- 23542300x8000000000000000976401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E09EE3A0C87CA107E5B560387BDD6F8,SHA256=1DA7174DE2E2B54A3759B1A3DEF6D6E13671CB68AAF1641B6AE09F7DC493CE19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.319{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:41.263{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA769FE0A4508625B1F519EEB120BF10,SHA256=C3A4DA3D5B432C4E73F911CD1BF2E27273ADC86D58EE60E5E32C144E8BEE59CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757E352371CCFB2253D9DF96A449390F,SHA256=121608F0F85D2CEC24024F68C16DE3189E2E54BCD04B776A510F50755D4FEF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:42.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F0B99811ECD3616F0FAB6FF4EA7FA6,SHA256=828D0389B4AF656EE89BDCAFE41B73AF8989FCB20C65289516B7005B21DAC46D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.508{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.395{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E3162F2DE9129347E07CCB0C0C48CF,SHA256=BAFE24AE5F7A395ABDB9B39ADF6C64026974BB72FEAC2AF01DAF4B468CBB13BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.285{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401CC775D85D3EDB93723DE655FF177A,SHA256=98114710419F5E539B36B258812E3B859639949E732F47750DDD3CB0C3755C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:43.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DA5A8B2195C9DC764DF78FF7D2708A,SHA256=00C65C43B63DB84F16EA70BCAD7BA6FA2BECB1C947A24790E3C3712B253A74A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:43.978{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:43.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A6646281ECAD6E75E1E9D239EA7B43,SHA256=C20BBE8A792BA8D64C280E356B791A7D7A53549BA46D56F8983E277FC1D9C3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:44.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA46816397FAC389E86F56AA9C4F72C,SHA256=F2AF579B4D90CB7199D73662768795C26CF0CFBC9DC4F80BB76A54B7CA665B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.709{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.641{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADFE6137E99F4AB691BCBDCFED0C0FC,SHA256=0116823A333EDF2AAB48A940B0BCABF4062A29B2B6FE679677D6AC2D7D60194B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.108{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:45.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EC9566148D07EE60CF61852A91B775,SHA256=57831A59F392E96DC0C8CD6A015D7366C8F77E3A279986BFEA958B90A5C25342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.643{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB68EF916FCBA9C2FD442BF8BB106B7A,SHA256=E57C0A514BE078D2EE78DF0DED586DBD008A4C6BD502EA4C7246B1F512173E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD592ACC61E951FF3D7A0A4D389377D,SHA256=FDE911936FE0C4281AC48846697FD7F2433252D5DE7A81C6AEAB5511C9BD0565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.362{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.360{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.342{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.932{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.862{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4297MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9D432CF56821D140D4C8B4DAD0CD98,SHA256=0CA1D2F30A9316025EDF2A3542F70CE5D5723981B1CCC99E07AC3C0ADFA66300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2E8B88346C8664FB46C043F814EB87,SHA256=ECAAE33516AA67AFA7E304CDDF53B246293A90218CF75DCB31FBCBD02790FC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5BEC005AF1B710EFAEAE6E6CD688EC,SHA256=7BA7F6D95F22EF7FA6A4C50F7F3EAC5107195BDC3CCE03511F1B9747B52C8DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF1FF64FCB1A54225F51D855872DB2CE,SHA256=2D4275569E00366E500EB40A25C41C0AED8591C4089356B5995F312ABDF19267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:42.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59251-false10.0.1.12-8000- 10341000x80000000000000001047861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.212{5EBD8912-883E-6151-E779-00000000FC01}66804384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.028{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.869{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4298MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C4C078D6473D5785438359636A14DE,SHA256=10F73BAF7318E9DCB905F061C89885FB9139706D09BB0CBC249084B49AD817F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:47.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90CA2ECC4EF8842F6C662A2EDADA269,SHA256=4FC0874AFDC7155679DF6416179661B711481580A6293FB5E4962642B604422C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.937{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60951-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5BEC005AF1B710EFAEAE6E6CD688EC,SHA256=7BA7F6D95F22EF7FA6A4C50F7F3EAC5107195BDC3CCE03511F1B9747B52C8DE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:44.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:47.095{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B172DCDB3955AE2CF6816552385DAF65,SHA256=25B2B76DF140C69B24DAAA9E752D9D28C826C36F9B7E7CAB397E327681B85C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50161869F3605E935E99814459221EDB,SHA256=A2C55198FB7BADCA8378CF39EAB3B38B83411A29BD54A52360DADF2C6C025355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:48.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F74ECE8FE79A7F36D2603762E375E,SHA256=1C6129CF0FB80277B06DF8F37D8837B9A3022D54624D4C5C45C875D02EC5A98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:49.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6E1948370C1B27DA85BA938142A21D,SHA256=5BF6417739FE3E73A8A205E4511AA906458D401A73E27F4714541D052146C641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:49.460{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486995291590FFC358FB91B35CCC1043,SHA256=4D8C2D65DF6D8789EDCF8DF7BA355CA1A20D515DFC13EF6A247A9DA79FBCC15A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:45.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:50.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770DF6759879EFA01F94A8A4415D9250,SHA256=673B2FAEF12DBAB537696FC79E326EB9A9C74F201B1A07D8289A01A0A1589D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:48.853{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:50.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C1DC110DB85A3E4295ECD3B81DA596,SHA256=EE05E4522ACFE4755753A04C296030AC394131E90D2619D96C220C1E747382C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:51.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF22973B2D078B3BF21CCCFC18C8D948,SHA256=CCFB329B5D081A196E7D0909DFA559A824061A7684FB9F8F4B79463104A7262B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:51.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7181E13373F39E5A1D704E3FE8A73AB,SHA256=AA4027CF44D310D385A253C5EF11BB49031375A9B2316324453659C22AEE8FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:52.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6E268DF3F498ADCAD4D59EFAAD3C3C,SHA256=2B2159CD93CFDD5102CE64C3505B73DF335B62170632E5705EEA5000A673EEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.779{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59252-false10.0.1.12-8000- 23542300x8000000000000000976423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:52.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67E8B262B1A9286A27A8296FD551138,SHA256=29E71C36A80EBBE31525D0E0F78042A29865A728EBF8BC2A33457E24AAC62729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:53.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A129466EF08E414C503F6EC73CEE64,SHA256=C9D94D838C4D9216E5F9B84D82605F94372E1569D8402ABC973A9DC8CAF3B585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:53.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC6C62ED8041C6A32938B662D809A4,SHA256=ACBE7B4AC33491570D2CD25BEB0E660DEA6AD0BCB98E4F47C192E337EE3F8391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.910{5EBD8912-8846-6151-E979-00000000FC01}48085172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.726{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247376DF1A2C9C26C974853F31C52F3,SHA256=144CA2716184DEF851F9C7490E17055556807EEDD7E66ADBE0E391C93B547374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:54.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0EFBCD3C5992D1EA1B6283993F85EC,SHA256=1221D07675FF8440F5D95115A08B08E98CC0AB940310794DC63E89E9CAC966AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.241{5EBD8912-8846-6151-E879-00000000FC01}24764860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.062{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.042{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:52.731{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65176-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.625{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756BC4E9992F048E593B6EFB9C9D1AB,SHA256=85CCEA51CD1803CFB0C41C4746322BE4AB6580A278E7BD0FF5A7262A233370F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:51.653{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:55.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488032F4E513974269F8F3EC4A89E2E4,SHA256=6C7E2A2123C662B4FDC06D62179BEBA0E043D93DD0585CB279993A9BD84C2BEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.426{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1A2D7FAE6E24EB0661B09654F55ACC,SHA256=DD1C7E0E73DAD1DAC8BA6D872DF6DCB2382E8B6810DB607092411DF742D5E3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02F74EC3675E219FA1006B6BCF11C22D,SHA256=57EC0A689C20A7F5038FA23F5C53782447809167FCBFCC702D642C2DF4380DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.886{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.762{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C8944283D1CDD3C0C8756728D6AC02,SHA256=BCBA915ACABE7191DFEC468E0F9C0D0935AA88D10D9A660CE98965DDFCC089BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:53.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2337952A90AB6394238FA109D18E4F98,SHA256=C788185119D9E26B6879B7B4C3FD77365770E2A4620CF2885F3B4CE4C460A3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1A2D7FAE6E24EB0661B09654F55ACC,SHA256=DD1C7E0E73DAD1DAC8BA6D872DF6DCB2382E8B6810DB607092411DF742D5E3F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.328{5EBD8912-8848-6151-EB79-00000000FC01}54204164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.110{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8320424FF25ED2E9A3166CDC41AD48,SHA256=98D73CD44C51697A7C5443577002FA3AB93B3DA7D0B756304B35BF85CD6F5E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16728A0A652B07E7A18CF323D8F4579,SHA256=441C09A521603294D37F9A224B04A9689404BC7EA91783AE5DE175011FF085A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:57.662{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A97A42FAFFF3FEF4D5B4CF4989A7A3,SHA256=FB291F4DB1DCA7971D12D8F53F89A184EFFC8B03FB1C98831F40895AAD857739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:54.764{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59253-false10.0.1.12-8000- 23542300x8000000000000000976433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:57.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78604D109F1B363CC5464075DA48D268,SHA256=DF53014FED5DD50E8A61580E66BFBC4FB9E84816A9E69AA2854EAEB0927466CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:58.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6831CCD345C9F97849A2BF0C9185772,SHA256=CD463047B4EF3515EB7170E60C8DCB8F5F6B2240F097DE68E0DEB4EE3D002ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:55.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6516-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:58.651{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8320424FF25ED2E9A3166CDC41AD48,SHA256=98D73CD44C51697A7C5443577002FA3AB93B3DA7D0B756304B35BF85CD6F5E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:58.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494DBBDD31FF662C5ABDC5CF1C314604,SHA256=CF511DE9B535D05C3DC77921BBDAD6EA5790906B3E5695F89674053527562E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:59.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE20C70E4C4B154141498D0AE283DC6E,SHA256=EAAFC7151F7CC3C57C8987C1675A87975937EF1A39CCD9367ED6DB7712976912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:59.712{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3749E069EF2570343A2665D58F88928,SHA256=48CF73A7CE973E0B8A700CD6246657470FCA23B1AEC5F7982EFF20BC51501AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9580D2DF9BA85E80D8F3FCF477E9E8B4,SHA256=D84BF2938E8946BC30512548D6F1816EACC0766FDCD07DCEEAD9E97BDF6C5E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD48A3D7A4C77D774776D6350D4CD8E3,SHA256=88191969DD3553E991DEE69177B5EF63D158F13CF672A917B5073FEA04A67BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25FFE93855E505C3F1123EF8A81D87F6,SHA256=079067B4021C72393ABF309F62D01A2A423D044193187CA06A75EAA539097624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:01.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAE7EAB64DD562E03E41424920B68E1,SHA256=CC716B621CA730937B1DF505B0E03FF822CB436B340CFC026E783CE5C16D256B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F28E7CF53464B584FD5132D283D4860,SHA256=BAE3671E2D99EDFDF2FCB0854671070E1DA940727FBBFBD6B631C4B51DC1A67D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:57.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001047923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001047922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001047921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000976443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:02.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E821AA1BCF92ED050AB177B9A886A338,SHA256=F51C58CF829851F8D902F3014772997F43B841040FB0D248A7409C6D290BE892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.742{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F823DEBD2DE42B578F0AB85A1DCD3E7E,SHA256=2B6F0A62786A4653491297E8DBA34A74BBEBF408769ACE7AEB2EC868E79D39E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.021{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49172-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.987{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49217-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.987{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49217-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.971{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49216-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.971{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49216-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.953{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001047929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.953{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001047928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71D5F1340879C74C620F099D52027DDB,SHA256=8FC34E253C41E171803FDF5884AD3A9D6E000A8E1E9F566F53EBA3825B122A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=961159C42DA1534B06A2F7065262D24E,SHA256=662DB7F2328DAD2AE2B10B1A9D6C2FD035190748ABF9EE1F08415EA7E6337EE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.788{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.644{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEDAD4840E06F498D207887FEDB07857,SHA256=D7EFD6DC7C5A5045DF4A4C2BC3D1A05448C6A7B994C5DBA8CC947F77A2390DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5753E92F2D48094AF492250B54CFEC50,SHA256=00002DDAAFB76F6539DCDBD81BC32399B98BC8B8E5A33C9351554C8EF44B9AB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.975{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:03.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03F42A3327D284513D5ACD103FC6224,SHA256=668020E2C80CB696FF24107A984DF7514AAC557A14B241C03F18DAD166A1B523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:03.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71D5F1340879C74C620F099D52027DDB,SHA256=8FC34E253C41E171803FDF5884AD3A9D6E000A8E1E9F566F53EBA3825B122A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0DCD928A9F6037FC6F9217B5DBBA56,SHA256=8552AD3D6CB9183BED30B383EBF5913239A0606A1F0AD11F08FCEE8E5179B2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:04.926{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990BBB1A16A53A03F1682DA23074AC26,SHA256=11384024174A5148A85BEC663E417D2405ED56F791CB108E766B549AAA20D7F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:01.239{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.699{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:59.904{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59254-false10.0.1.12-8000- 23542300x80000000000000001047941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:05.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867D05876C9CE43804FBC724EBCF5193,SHA256=E876C636308146788987C5F4C9C04B2B3FF2725862479059F61B290E4E77A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E74DFB2818AB7DE6E7924D926DF7481,SHA256=FC1CC1CDFD176ABDA8FEB286E1049D78A12C9BE1C300612462F784D3FDA44F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9426A725776731125BFC21B51BB288B,SHA256=CE74D97EC790C6A36E2703D64AB3C60C555CD531C4E8AC746FC806F33FC6DE7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:06.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6597526F74047D42BD8E28C3167AC7D4,SHA256=81025DE21EC6B4F939566D205DA93D0CF4D5FA867CBC33D3254EBF5CC61A3441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:06.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA0206F111BC687DE0195F2A3361F9,SHA256=BD081A51F48FDB0D4746D0254F398AB75F6B5A4FC333F3D01E7095CEFDED992A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E54E67BA9368682A63D7EAD87ED8E3,SHA256=B2D7357BDB0D679835F2406EEDF132E640508293235B0FA908B96DEC006CCFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:07.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB16A69B40F919FF5C68DD39C9BD1D5,SHA256=318300E65E70E0E13ED81739DCA00F45083ECBB66EE95D38498E4EA6B79B0DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87EBCAF4A386A5A1606F10A29D4753E,SHA256=A32F7DB272774CFB9C43750666B5A993CF96C3C6B20A6DCB084171A6E3105A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:08.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A33599C5CC0521CA6A1692BAFB317F,SHA256=BD41F71C80B9F5DAD7E73DD550BF0D7A90E43F4B4D2FB3DE1536AF3DF4F7C914,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.733{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.636{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com52086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001047944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:05.869{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20575289FA0194C75427BEBD54C9F5CE,SHA256=96A1056DE3E185558B3168A0B8763D561BC202630037C062A5C7739821CB08D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3BC87AF8358FAA56B0657FFF86585A,SHA256=A68A127BC2D51A23E78B9E315A09DFBC43A0686BD68403F8695C76CE8FA7D578,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59255-false10.0.1.12-8000- 23542300x80000000000000001047950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D82AB69DF90D038CA04EE26BE201C90,SHA256=B4F55670F58F09B5155819D4815A77F2C3787F2C8A0FB3792F597349D734879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C8BB677492850DCCDE85533E82F746,SHA256=A9A43FC2A0CCF433A12A74A49E9AD56C805F15BEEBD05D02C503A4B6807AB93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:08.439{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:07.791{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE7E611E2FD903F27C86FE88CE52DD8,SHA256=BB4C529CD783B912A60A1909BB8E93D1DAC7F192F2A6101F1D083E0CFD136EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:10.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA6C82EF59C3D02584A9968177E9259,SHA256=38D24A28290192BEE6AA0F0E91BA0620FD69269E9CC958FFB97E51925E50FA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:10.030{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F353E004DCE3D93CC9D4A343FBF71E97,SHA256=EDB8ADB7AECD60E97043FE4CA511FB4B2EF9D2526BC064E0E66B76AA1F4F2B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:06.828{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:11.888{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E69525249FD7E9D220B20C3E1A583C,SHA256=FF13691A03E4D7B78535A1D0DAB8C2348F4B91C4B3F30F667A121335A769ACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:11.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F58C2032CFF5B1640A4077F6D33B18F,SHA256=AC095F101BB017EFB9F7A23321AB898F4DBDCBC6830A9028F641B21031EFD0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:12.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3E0775FB765B4385DD2E9F6A85E3FE,SHA256=64C0A29AB03240613565813B9A2850C3B6F042D9A9952A10D3A6652456BF4B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:12.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDD90A81E96D997CC70EF34B7D9CDFC,SHA256=BCCD1351DED183AFFFDD621F66F3C56624B72E6C681021C1486F25556A3AF079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4B50F22108D0FB89C9203083FD5A0A,SHA256=5797CAF1654147985C06D438DB455A0357E76F5A337DDB4212F076076741E2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:13.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064FA5514F40AB6E2F21AC8193E6A85D,SHA256=F989F1466D68A81D153ED2DEAEB2CEEE11053D71D3EFCAF1B5E158B1F5D1FBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.451{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066F23316447C12B6B61DADF41B65EB5,SHA256=B4B3A53EF801FB10DF7D4218A10C362B1872C6D7AFDB91165B031C477C75DBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:14.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B379D3979441C99CC83D82E26B59F5BA,SHA256=34BFC60176908D266F76E8351292A4D632DFB67DD02BE5BCE1B53DD7A2C90152,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:11.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59256-false10.0.1.12-8000- 354300x80000000000000001047955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:11.875{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:15.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CD8651A00A325378D2968C80379560,SHA256=B996F5D388EE88B3E5898EB3A1DD74CED72C662099B788EB2B62F104AD027348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.421{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4297MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E91AE65CFF37C89492E6C576DBE09E,SHA256=50E9E347F317AD0F30E16FDEB0FDDDF9EB733BF26FC35EC4B7368B969496CB02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:12.079{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59257-false10.0.1.12-8089- 23542300x8000000000000000976473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F2619288260FB568D7B02B9D7874F0,SHA256=9E5644CE7368879528B45C953F32B00B450A1BAFEDCDA20AA40D5285F6F983E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35A91D3EF04F4D436791BC784094E39,SHA256=05E2093DB87058B589952168B9F53791CC5BB7BA21B93E10397C69F1CC893CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:16.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F2619288260FB568D7B02B9D7874F0,SHA256=9E5644CE7368879528B45C953F32B00B450A1BAFEDCDA20AA40D5285F6F983E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:16.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72D83F6BF1A7ED51685ADD79CD2C380,SHA256=160FDF80FBF2BD2B9CFE26EBE84F38FE9463C9EC925F509DEF8BF840CAA599BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.532{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=E607D29C51D064F90C975F4F2910CA7D,SHA256=C019359EF42E6AD081D81B08382CC96277448A2A2E5E874DBDA6CB321C286268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.433{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4298MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD7C3E9F000EFF0369B50299483D0344,SHA256=B8F041FF24B3E39388BBDD72EFFBE026195C9BC8692806D7E42FD47B0A49A81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D82AB69DF90D038CA04EE26BE201C90,SHA256=B4F55670F58F09B5155819D4815A77F2C3787F2C8A0FB3792F597349D734879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485C7A5A5D7B7ECE81F724528115199C,SHA256=3DFB3ED22E407844C6400ABB966FF7E33E2C2F174E6923D73EAFA9C8536D5483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B79085D6D62BEF3A47F98C13BD2044,SHA256=174D94299A6143359E1527F02E53B537639262FE33496514A4B6A645759AE54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD7C3E9F000EFF0369B50299483D0344,SHA256=B8F041FF24B3E39388BBDD72EFFBE026195C9BC8692806D7E42FD47B0A49A81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.166{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529BB63B8A1DF55F284BF94809771D83,SHA256=C612C7AD54E9606E8292647C01FDC6761AE0029B6059EA893CFC23AF72536EB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53985-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001047964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:14.607{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:18.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77A8386335362BF66B8B454A09587B2,SHA256=B3DF890E6D8E65FEE167713A0FE36ED4D166F260443B139F2BC6D051C6DDEBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:18.215{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0F82773C4F4FB275D5CE6A76E99D5B,SHA256=451E3339DE5D1433F64EDC466668001C006C2E83EB9195AF7B7BE8D1B3EB354D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:15.318{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:18.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB11E501BEBFF5517D12B4F666F09237,SHA256=A02C034B8FC4301222775E49379BA08580F2F1D1B25CF0320B50459903A32724,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.939{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49220-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.939{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49220-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000976484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:19.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7762E0EBA27478B5B0D196E051ABBFBA,SHA256=F8D873368E4746E03CB5E85A111D94A153956341154364A1F10CD7E0534F90C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:19.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1187C10BE33016A9F89BD77EC9C4E0E9,SHA256=EFD9695BD315F7B8CB796D3097D594999EE37F76B9C4BA6B7A91AB0C8A2F3D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.013{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:20.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A15C99709BE2CC873AA9F69C303E9EB,SHA256=231E10F71DA38E51D713403993D9F1C7FA8B8B74980C6542B44FDA5AC6A0146F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:20.268{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4641F5A4E859D20ED45ED9BC240A5E6,SHA256=AE071D04D67BCC041EDFFEDF788465B86DF149228F458A814BA52FF8675CABAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:18.488{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.807{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59258-false10.0.1.12-8000- 23542300x80000000000000001047971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:20.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2CC2EA2D4A9980B39B0F6C59A0494B,SHA256=AA3DEE6D381BD9CE434F05491472639DE23812C8B73AC1DCA9220ECCF03B6CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:21.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2438FA0AB9460151DDB091CEEF4B0C,SHA256=2A36E10EF8836252BF8C990A3391292FB91486AE4D1B8CC6D91D2E91B1DAD715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:22.919{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:22.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870AD9F5750208247BBD90DD94CC7E45,SHA256=772AB45755ABE9F6DF0C9B1C4F8A682A34C5FE4F7DEB7C6CD97B50F6D6CEB8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1C3F8AA2E268B294B12EFE3D0077F7,SHA256=C6983864EF68E989552946F8AEF002A1D31DC42302917709B076A429D22A6D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:21.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B8D35465737422F98502D06A597ECB,SHA256=F596BA41C6970E4A78D26A8CE4A3E685F60382EA037BA94EB3D6DA3EC3767123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:23.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFED3CAD70B377B02FD020A1C6BBB52,SHA256=A5660F892B216609713386598974EE4D202B96340FFB43805F41E127ADDD6299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:21.142{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB97B1F3DA09B04F02D5F08641B7FB67,SHA256=D54581734FB46E62C9CFB785768D31026F3C1E740C582EB8F5B46FE658D3051B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:24.535{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:24.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAB5874458AA479B5AF4D61D27018CC,SHA256=4F1F14A73C114F623A241749A3CD03F3C5B93E67FC44AD4E814351E3422AF59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1D4E8560ED45F5DDDE7AB13A453FB3D,SHA256=DC7A40AB6BD62501EDCAD52E5937D1165711DC38E40132001B33DB0D8B154983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57495E85DFA65E62C5E37F561BC2FEA2,SHA256=37BD1FE20E89AD43A593930911EC20CA6A4B8DE5B48B1730A0F96AFC573E0C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:25.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A519511B0FED02E84EB86F3D38344AC,SHA256=EEE926E000D5159DE25F7DDA461C4AB171A682B7C56212FCC85D04AF3A47E552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.906{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3D2DE478A8213FC975E790A8A7A92C3,SHA256=29D98C8E3FC7ADAD4E988956E27AB968808151EA2EE9A48213FD34CD8D346FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58E9D225C348EF1AF415D65367A57BD,SHA256=7418EEA21161AC510902D93DDCADD41902CDC978C35E9BD4A02EEE4B7EC9B9E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:23.796{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:26.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9BAB5FE982B497606E555C6BA6E080,SHA256=C7649D92122804602A13E9757F917A82B6AE6CA2EF0AD1CB744D99DBBBE9761F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:23.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59259-false10.0.1.12-8000- 354300x8000000000000000976526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:23.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.718{69CF5F33-8866-6151-7B79-00000000FD01}3676416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.516{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DEEFDEA13F129176A2B320E22467EE1,SHA256=471F6E883073D7944F58912A8DE554AF4E639FC10F5F128CEBF86DE4B69F0B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.171{69CF5F33-8865-6151-7A79-00000000FD01}9361996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC326FD1DEF01DC5754C9A6F05D0F12,SHA256=99ACE16B79F930675278EE57B6826905B40A83FFF2804CA32D6578BBF9F96A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC36CC4171005809B87450C358035FA,SHA256=07976DFC390671EF8593E569C20A43B1231551F6B709A1E24B3D9A385A10A9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.890{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F11A51B51D9AFFA5C3135CDB969E5B3,SHA256=A095BCCF5CCCC5B6FADDF713356B3085B321CD20A61E4F98C86759976CD257CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.203{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0885F29335B7BF299485129A5E53EBD1,SHA256=68482E19680F69FDD0046BD674B5778AA16B5445BF9AC923DF7CE9A8731AFEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:25.395{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B94E058FCB40A8342DFB9C5B9470C7,SHA256=F4AF5195FD399FFF4B2BDCAB4ED6779BEBC5E74629A9B4B1171002D978836CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF1E31E43859439CE1E1D92B4935B18,SHA256=50C93AEAAFD4C77A0E9608A4970C4C697FA392501F792B8B010129821ACD6077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:28.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CD0ACF60C85C81B1E67ADF6440EF22,SHA256=03FDFCF32945A0902D5E0DD876F4B8A0A74F6B5FD756CBD318E95E15F7F95558,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.578{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1E1E139DA358320BB9D70F64BA152F,SHA256=48CFFCFC0BB5A763149B574090466E8E5FAB0BD42031754C9BFCDDC4919CF7A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.093{69CF5F33-8867-6151-7D79-00000000FD01}40361076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD9A034440889CFBA9A52FE995E80D0,SHA256=B4F366D6518F86564537C1000FB482FE992665F92C829A2F74360E9735D850A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:29.651{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D744310E0A9CBDA3D61C61B2FA1FDE6,SHA256=5383FE7A855D9F0B43606BA9E17F7DC03024E3226F6BA2C2A805D3FA1F98DF3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.421{69CF5F33-8869-6151-7F79-00000000FD01}22842512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1918E6E22468987151ED89A3C9EC36A0,SHA256=291E57778BA4870C93EFC56C4A072C0EF47A7B6813DF2925E4A95EDE7180C167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:30.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E69C0D7047CBA5DFFE5854E01DFCA2,SHA256=DB616D800FB0B793C6E1D58B1149E8AB1DC07F479A3CE9C00FCABBEDF7EF2546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:30.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7409ED65FEA419334B283AF6F530B8C,SHA256=CCFFAF21CDA316BF56D1281C1BF3A5E75C875BD8894B68FB18C20426BC923125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:30.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C328B99271C7BC78D1DE436456C0013,SHA256=04CA7E49877B4CB835A1274EB3D4945448C624088C4792FA3C004B6F9ED841E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192313F5DCDEA2D360289ADA34F9ADFE,SHA256=BB68B5941A2F6FE0BA12BCC7C4458094656D1248DF630381610F5D385B9DD6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:31.705{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A21C7336D2B9D952F4D8AB5F4CF5C,SHA256=ECD733E3B773F7FE690D7AA81800A93A82DD5AB11A25AF87DAB733959E9D0E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A91E7EA1E27E7D41999A2142372CF2C,SHA256=18F2A437A6C797AE35511C2EF6815D018202E350A730BE93768077AD3451FA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45F2923B5DCCC747930EA0A7A904BDD,SHA256=4B2F89959AADF550A085E3253E98B85D83607831EA73BD4286404226F361FF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E02477241288A719D0449B48E01D87A,SHA256=597DC36C7BF84B12502D76EE88A860663C0182F165AB95FE1C7EA423AACA5F74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:30.589{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:29.779{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B94E058FCB40A8342DFB9C5B9470C7,SHA256=F4AF5195FD399FFF4B2BDCAB4ED6779BEBC5E74629A9B4B1171002D978836CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:33.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC551DCCA584EAE54FFA9BFD0051C1B,SHA256=14616CF578E4DF327470CEAA3A695A762B619CD46A8383F65C1C4865934EC6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59260-false10.0.1.12-8000- 23542300x8000000000000000976594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:33.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F230A809CE5FF6C680822C3DC02AD3A8,SHA256=050E90459D98A6DEEF4858E65DBCE2C7E689AD1A835388C55332E3B1960B2A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:34.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0CBF1DA2B2F02FC453E7B3DE7BFF9B,SHA256=0FEBDC7225DEF0940EBCCBD8C46EC2CB55D450305C85626D6E4E7706A39E21EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:34.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE23E94AA70004DB7E7356E0261778B,SHA256=843373379A5E599F69E13EEB61D39D6961C0E51BCFD3B0117313E900B99177A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:34.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8378C2FB2155646F1CBE75C6267FFF40,SHA256=13AF4E6C4F2D111D8ABD82F79F6ABD94BF95B5313CB1A4EA6DFA68BD7FB7FE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.213{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:35.934{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A30631206CE8CC7BDDD8A236DF96AB,SHA256=824041F313B39CCF77EA17F4C83996E99956132E3B4C4DC09C64CFCFBB8BFB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102F9E25F00C6B4AC7FCEBEA8D0CEFEE,SHA256=F0E439E4BFBB8A50D39CE8FFB89BC0DD5E21CEF665D236CAC661D185EEC00E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1197B24B4EE1548F2C4D7B6049C23665,SHA256=8B9E67B53A45B4259C69434055A15464EE0121E31EBA4B2E2367960F9498240B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.555{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FF48B01967F888FCF9F472C69DD55,SHA256=301D5B788D3AFC8104D182055DDE4B181BD93489BA800CEBBB55AE5171978FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:36.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE8CF424FB464A452D404E79561BE70,SHA256=C5AACAEFDA0FCF6213DDAD69051EE0EC84B9A3295DA5FCCB724565B20593D410,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:33.924{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61030-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.403{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:32.924{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:37.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FAA9A74DCE6121D1CC27C167DB3007,SHA256=1D47BCEEB010FAEF6B189B234C62EB058F1E84F3B6FD5681BEEBCA1358D28D22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.734{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AC669571B3940F15A63445F1664E7A,SHA256=797D2CC951A7CB2B385F0199C987D59648B513DC05F33F3F214EF59CFFC04F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:35.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:38.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78219CE3B050DDD592BB1E3E5BFDEFA,SHA256=FAEE751C763C04C668100C74416DB557030CCB82EC1B32829D28DD17258DBC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2DE7C47B01B7BB2E3206A16470904F,SHA256=11262D1170709C6D7B85135DAB49BE8150B9C709B27C37C100BCBF6ED46D0CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A1A7B068979023F0AE2A9C508B862C,SHA256=7BCF743F80F402C8CA77F8D3494620218F728FB317F06FC6C1A9FA0EE0013802,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.079{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000976617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59261-false10.0.1.12-8000- 354300x8000000000000000976616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4103-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:39.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591209A3B8E9C3352BE7C8634404E44F,SHA256=372630F1076F1D7C1EC46EAD7DFBB42FDCC23E671E39CE8EA2BEE4352AE3F706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:39.169{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=07E31491B3B67E0F5EAE3EDCAD81EEC8,SHA256=7C7D698B85BE19EF3B3A7D8E279776ED888609741348598E156170F95F1C18C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:40.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A7308E2FD088CC40C1063DDC949380,SHA256=E17B5B452FCB53B04177D19E145FF76A4DE52063D1CFBF17C226206AC0B8BCA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.805{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:40.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B471820ED4EE707A00799E9A805CE8,SHA256=09F845C9C33489AB534A14EB99788F6ACF0D267D31BD2CBE7AF30601D507E196,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2022581AE13E596FF272D2544672EE,SHA256=EB738AC82259E60897828CF20A8BC30594EB72A6108F2E3151166E456E916863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5410CB9E95C94077BA1AEE37D65FDDE8,SHA256=A7D235BD4F1C84FBEDC2F6A1DDD732662DD09377DD32FCA0E3241BB4063B6A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA523865D7AD91C674FACE93CC233810,SHA256=AE5957511F2CA418E3DC61E97CBFA9D5B3C9869EB5FC816985033C179B3122E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0203BCBB3DE045A6F329F987020476,SHA256=FF2CA2DA47D32730555543917507F35587613BA4883FE4AB2F489618F52017BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:42.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05356BB90DCB8207C55D157AFDC0D143,SHA256=2751216C7B90DB046FABADA57B9538119F1F05C298CB78B1855F08F968DCFF92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:40.287{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:42.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3F927D18AFDF1C1D897BC48B0008B,SHA256=FB798AFA0E0BE175F7A59344BC6F562C9D9A8461C4BDE373023F5427B7B22671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:40.313{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50457-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E83FEB2532A2C77B220EE9F6BD6B2D0,SHA256=E0B52929C79D2DC75A7B19EC41E7FED28D9C8B4B19A878F254902266CB0D241A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:43.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E92775AD655510929F748DFBCE1FD4,SHA256=4E955D43D9F406B87B071F6CB795FA39FC9303F4BA36CA05878D9B1838FBE96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F86738B1391E49E83A2963B819D69A,SHA256=174F946ED645495B7E3CE99AAFA117318F771C4C9F71F957220C32E9401936F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:44.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A67D230AF7C96628F6BCFF6EB3D971,SHA256=C371AD120A1970A3A2AAC0BAA9338B09BED9B20E5299A9D64CF9D2D0A8E30950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.549{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A64169681D9A8FD0DCD477B9AA39F1,SHA256=A4D55BE71DDC8E3F12B1A6C0A714E3023C8E2C08C030B6C5C7BC7044E24F51E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.788{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.602{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5410CB9E95C94077BA1AEE37D65FDDE8,SHA256=A7D235BD4F1C84FBEDC2F6A1DDD732662DD09377DD32FCA0E3241BB4063B6A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.433{5EBD8912-8879-6151-ED79-00000000FC01}42044756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.166{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.149{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D359D5845C0B0ADE31F905F6CEF2E3FD,SHA256=60EB780F916E3896EECB026088FC10940B9BC2EE1312D54912D01BF85A9B81DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.718{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59262-false10.0.1.12-8000- 23542300x8000000000000000976631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:45.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A110EA0420DBFBAE57BEC761AEC03C5,SHA256=2631278FBD739AD3F6D20D7FD90FA3D10B42B01F74E1F9984EB1EDA0561C21A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:45.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA5C8080B5089F6BE9BD9506E266DF5,SHA256=8A3320CCE078F0CCB9D5AFE10409EC339D872EC161D0681BF7BD3C83FB941A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.846{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861171C93C0F0B20E031690C0220084E,SHA256=BEFBE316B4AAF5A4C3023CE6C7F70A1F36A52F4F1AFF834714618D4F1FBC41C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:46.787{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59765B6B9162AE1DCD2BBF49A20E3DA,SHA256=00F17D1FC7994525E453DF79ABE1AAB17208420D07FF7593F5D38E36B7D39941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:46.150{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F41F4853038738AAFB148DBDF19916,SHA256=7AE008523B88CF991051DD3BBC08E9B3805FBA526CB1B90FEB3D8C33C8748279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:47.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7890BBCDB2D64CDBAB5EE31BCB8473B,SHA256=C671B658D636CD3CFE77DAEF8D6B0E110419A9B8E21436F6412CAF1349C25FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:47.168{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970CFF58DE48BAF1A2CA8BA023B5C1B5,SHA256=90F4FAEFE143C40F3D41DF90D87B710D4E64962B93A9DE722DA8CCE7F44E9AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.389{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4298MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A8FAE493231A97B5B0808BF398AC15,SHA256=1B6315673D0B5A5E611F659F52D00D4DD056A0B9A7CC5898B7ABACB2E90ED32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:48.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC17359E3EEAF8C457E1866E576D98,SHA256=2DEBA01571B672D4BF39EC6D1A9E101AF24DF8D7793321EF355B4247BE107274,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:47.724{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:49.202{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACF9920BF169A02F0475B679D2F6E8,SHA256=7F2844595FC94EA8526D84E6E7C0BDE41935947DF6B761FFCD57598001BD1E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59263-false10.0.1.12-8000- 354300x8000000000000000976642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.568{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56814-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.403{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4299MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CA5FE3D134736CB3DCAD8238E7D5BE,SHA256=95E0C4ED4EAECF9DF9AAAE2396366D7745F9B120605124B720D93ED2DB5CA2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47003943220F7E1CBF0E1732344BFFBD,SHA256=635C40C9A738EE224888CFC3474D78E82DADABF43A4FDED1142677EEE0E07524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:50.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F5D495181199194F1228458F006289,SHA256=8A25A164885E264399F3E239B9E04659A0625339DA880518D135F9665605BBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:50.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4891138B3178F75C7AA5E5BA32DA996,SHA256=F52DF8F72649A9AF21883FF3FFB80996B79242F75B905208D5EA7B7983056EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC51382457BB18613440FCFA80271B59,SHA256=0A1ABA4582C8214F8D12272474227B0834A64B961354923642616C0720102B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739A1B0AFEA13A00A7966E68E75FF8AD,SHA256=D4A6CFB7E6B98A5DF0D0FA56578630FF3F5D554B7310A06832A39303AC133390,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:49.616{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64985-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.417{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A12F049D3F7C59B299D1AACA46063FE,SHA256=05C1F5254742464A029AA2B2333AE0C838DA3682381334ED6CBBCBE7DDA14EF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:50.993{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59BC53B422841249A2E5CDBAFEE51D18,SHA256=7802A86E6CAA90F5976AD896B593FE574DE5A59F14626D86BDDD4E62CCEC794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF667FD4782AEC814E62FCB794AF70DC,SHA256=FE3551762D2291D10BC19236A999ECEFAE4413C76A5A250A4542BDD8152EAD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.220{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E01E03663982C43789728FE40707300,SHA256=01DC9F8A5897240DD978A77B52FF16F24C271966AD0F3E028ACD0B043C269092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C1720F661317DACA51447261837244,SHA256=D30A72EE9A18DCE4E025F8E4E01D9B6CACDB48A0D54047E3BCF7BCA4F572A86B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.148{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59BC53B422841249A2E5CDBAFEE51D18,SHA256=7802A86E6CAA90F5976AD896B593FE574DE5A59F14626D86BDDD4E62CCEC794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1F2ED6EE901EFABB0167891511D5FC,SHA256=DDC386CEAB063D75619FC0CD1CDE65B187D8512EAADCE6663BC0BAC548EEDB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:53.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FC3BCB6D8A5DE02E74E378D0AB869E,SHA256=8C0DA36CC1225A1805D20D3125A3FF6D2BFB9F7C05CEE4F0AFF57C5DDA87E69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:54.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BDB81E46CB228BF16E2547EAAFE8D5,SHA256=FA3C7CF74D5DC2F249C1D8BF7B2F6FA9943BDA50752B55FDD368288E0A0EEFC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.038{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34351-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.909{5EBD8912-8882-6151-F079-00000000FC01}70966628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.710{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5591C88A9088A78EA7C41B206E00E54,SHA256=91479745E83FE103ADF5B741F6C2322D7CD95BE07CD12314B4DDCBED564B4D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.240{5EBD8912-8882-6151-EF79-00000000FC01}44566460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.036{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.833{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:53.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C22BFAB23B1FDE4BF998C5CBBC935A,SHA256=70562D7F797E74E3B376ADB021B24ACAD9BB2B0961C30044FDC7EFAA7199C5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:55.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD702789B2B882A4F01D999EC4B8C42C,SHA256=3ED91A1A3F2A473DE8091EEFFFA51FEC58B89155D42510AE90B7FA21361902C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:55.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43425B266850FFEFC689BF44350C4ECC,SHA256=0E4F7313BEC6668E0BE986EBC8EAF8AED289A02D60B94FAEC1E0BE7826436D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.495{5EBD8912-8883-6151-F179-00000000FC01}52285240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.310{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.277{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993F303AE51E72ADB277CCEC391D4E09,SHA256=98C10DDA5AFAB8985C20DB1383B2C40F2D2E31C767B7FEF037F4D86C0ADD37EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2419CE2215DFE7FAF1582E18F9309A2,SHA256=62A3D85BEB15D4F6183EC380CB58C9EB252A9114DC2FEAEE22CE366D0CC13754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.845{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59264-false10.0.1.12-8000- 354300x8000000000000000976657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.468{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-50803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:56.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FD74E95481B847B3D8A25EE055319D,SHA256=6A07F66EBECA86C3DE22A78990E8D56189B13840C8ED24D30649A1FAA7BAB57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01334B9D62182A6A2F97E08F909D038,SHA256=91051DEF5E1797B459B46E021503F4A17F74C589D97FB74310AF2E3D90069706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC922B1368235F8B6DB1210106C41AC5,SHA256=3AEF284F9C8A47C80DE88E036378845479ACB7C7D6AE5222AAE1E1EB2B6C3FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.010{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:57.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A76B02C83375AFACC6F830C02EEC7A,SHA256=9D352B6742230FB0EA5969CFDDA8A82A1688E06AB4A449B908657C505C50ADCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:54.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:57.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023928E945C9C10E483FF4ED9EF6472,SHA256=4F389ECD2BCF613C0317D0E41BEC6C7ABDFFA0E2C3504B9D1092F09BEBDC475C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:58.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37652AE5E6D5AAFAA6999A80C56166F,SHA256=EDF77633C1A029012CD12274E1A0CE57238600ACDBEF79BC762DD85E0DF599BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:58.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370329534A059B280666B5D8EC787F1,SHA256=81D06FC61F09CAFC94D95EB54ECEA2C017228F238C46ADA45C9D04367EB659A5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000976673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000976672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc53043) 13241300x8000000000000000976671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xf2877b12) 13241300x8000000000000000976670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x544be312) 13241300x8000000000000000976669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xb6104b12) 13241300x8000000000000000976668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000976667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc53043) 13241300x8000000000000000976666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xf2877b12) 13241300x8000000000000000976665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x544be312) 13241300x8000000000000000976664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xb6104b12) 23542300x8000000000000000976663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D44FFB7A0885F365D828F7F2D62D5C6,SHA256=2664978BC84805B0939480E1D79591DD7613978B9EA9CBD1EBB706B8AC5FD3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:57.647{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509EE7AA0800E47725D1230517729079,SHA256=042F5986A702C2672FC9E6D734969C41E48AA8075A212AF94BDD7494AB9AFAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F53EE6ABEB9125DA2AB3A4B430C0D26,SHA256=8E5AB21FE9D2EE013EFAA2515BDAACB1E207F813A17FC7AADEFCB0586B4DFB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.298{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA2F4E54E0B82F11FFC9344CDB00E93,SHA256=9E4F36951B868272C7FBA7D0954F04C6F0475116E967169F907E4D11111EC4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:00.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27554E3925A6DD899BA18A5BDBDE8DD2,SHA256=E28D9ECC0FF2547145A3BB2ADDBA5103A7B8E9F8CFF3E06CFCD570318E157C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:58.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:00.457{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C7D0C6EA31F146A654581A755408F2,SHA256=BD29F6FDD8E28BC734078DEB0C149C17CC520AF9C80D9C1F83332FC02C282D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:01.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAFA493853EA55D1BECD838B604BF8F,SHA256=5C52A849F676C7FB99C5732B6200F7837BE731218C51F1660F8E44114F39B641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:01.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E18619A6747BF312FB294DC6865DBD,SHA256=F2B174BEA647F7F0CB413D18FB64D7CA46C01EFE7D92A4C7574BF4F81256F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:01.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A852F9AC01AEA7F3BAF142D94FBC67,SHA256=5478A74B00738C242AAFE975400FAC986DC55E90BBE1CB6DAA9D172927F00501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:02.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84454E77CE77B1DCCF5A2AB77BA67B9D,SHA256=EE3F39773195EA11C3F02D85C247AD77773FC0A9CF9A2F4DBF2966790FFC140A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58710-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:58.891{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59265-false10.0.1.12-8000- 23542300x8000000000000000976676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:02.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648C71A56C3083ED7F43D4426ED262FC,SHA256=347D15D2A5F9FD04F4156CE5CE286389262815C969EA9FFF33111386275E8551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:02.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949068DEC749B58118C31CC5A1E9D436,SHA256=8105799643E3C43DD5F7DED5CD11608E62B605D27D32D43179F26101F5A30B77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.201{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:03.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6538C14E7818D7BC3E105F5F710EE88,SHA256=FBE477412A552DCE78C63DC4FD08CC9C3D701B1C91AC350504179F72888E6658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:03.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D266D611BB117D940336B516D4C9B7,SHA256=85DEB8BFE2DADA81B50240419AC417B21A6FD17C13C5E442FDF9D391ED0C321F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:01.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC27050F14BA3208E77BA38149405836,SHA256=F673694D433EAB64E2679235882C32DCBA422AAF5B0EF05E17148CEFC9A36BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A220A78F789CF249E5E64DD2FB271C3A,SHA256=D1CF91DB5788320BEAF9DF63CAF7A7A91DC0068E8E90A1B1D024C0FFF721BB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:04.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBF3DD4792D7F8985BFB3A915D0FEA4,SHA256=AF707F46829F9302B925200FF4DE9B9E62A6FFF43DFA1438718AE11498A37CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:05.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E914F04BDF02CE082104046E5B9F78,SHA256=E3B580CC92BFAD7A5C5B739CA6F9924C6215DD5ABECDEE02E67A29C94510A123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:05.526{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EA3D7CB18832417389981D3F7CEF56,SHA256=AEAB91A98CC6029ED163C560332BDBC3FB834EC5C9A9F271F031D9F731B1C9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A22EF88D46D76677D8A218A250E4E10,SHA256=B3D44DA89404D51D829737D3E6ECDA8A981F1AD99D931C85EFD19CE18C58ED19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32572E34138EF89CDED73A214A2E9DF6,SHA256=78F435A7E549E574B72F34D48BC3047A8171C8E6EF5FD33E8BA7C88C7E1EB64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:06.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471E1E4365EF20E7430C18668DBF3D6D,SHA256=0B0A4B8405E3EECC951DC871EB9576E42971C827C7C478B4B6D2500991ACB42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:07.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E9B08FB0F743BE965F9236C5679DF,SHA256=32BAE13B3A5205EC44F43FD78CDAA0CC425586C30E80215C1D026A2B49F6F493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:07.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C649C84504103FFBDC3EBB4313177755,SHA256=412A219324F8C4FD214DC417B15AD007AAD4EC949BFDC554995CC23EDFDEF617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54861-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:03.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:04.802{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:08.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B99ACCC4C997D7C863AA3C27D628C2,SHA256=10D58D4B1A7C6FA8F5B45DE6CAF6F558B794674770146082309E5A7385C72779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D89EAB69D1D677673F39A1ABC39A86,SHA256=31CBB4F31AB1265B05A0DF6368709F0910E75FFAC08BB2EC924A59B4D9CDAD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832D25A40380346662DD0D3C326EE4CC,SHA256=8B7EA43BA17FEB98445726531FD2EE6D3CC4CF90A81F496320545783BABE3F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:09.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C22C00612D508CD3AB899317F8B29BE,SHA256=2572FAD880E3D16BB51FCC0FB5BE10DD4989D3A61C784BAD642A0C9B0D6C50E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:09.594{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC44A32093F66B59E695A0D40ECB022,SHA256=313DFB536E0980DCEFCAAFCEA9005A38F015280D4C0288192D6C81D3C7705AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.720{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59266-false10.0.1.12-8000- 23542300x8000000000000000976697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:10.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFBF0EDED16E3EB72065B63E520D399,SHA256=64802AD7C225334A97A0C1FE249A60E06C6927CD6A1D5D300E81EEBE8CCB821D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BF023D62336D50F632D9CF15114C563,SHA256=267064738064379179AA4B5A604768E6FD24A4AB5AB7C5C651ECCDDBCFB757B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61FBA51F1F2C26AAE30309BAB303C11D,SHA256=4F90EA2AD5F5D02ABD33F1C32CE91E1522371C912DBD0D24D8F315E26B77D49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.596{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B1CA52C8D1E0F5083D2CB45BC39BBA,SHA256=1D0B8101FEFC252BF2418116D2BE269ED4736A3C752FE488F52E1FD6C1B550E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:05.579{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:11.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1625BF222070226AFDA79C22286B241D,SHA256=7D6CEA64DD57220CC170C6790239A52BAB9E485279C1C730BE198734DDC3961D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:11.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C18B2F4893A7D2BB8AD3FE145A321E,SHA256=0AB6827BF9966B021ED231355F3FB3AE35E91605EF3676CF290C93B76CA3D0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:08.962{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:12.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C415558D64D79A0D360CC225F3A7EFFE,SHA256=51A24F9FF8C4AB13BD70512141C5A7DE8DDF9A1DBC540C969C3469C9A39E4C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:12.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAACA486608F5CF37EEC9FBEA8AB44F2,SHA256=DFF6B63E297ECAE7D097FEA6115081EADD1146C08FC229C60355D51ED550D3B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:13.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9908CD5B36C79A429FAF1249EA4AEB16,SHA256=DCBA6DF7E6E6DE0DCB378EA01E8D3F812CE97420E1185AFA1FB88D4D5B866FAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F3F6C61337D4E6CD6A707997B3225DA,SHA256=F93580F1B9E2FE925DBD95ABB3F4C210BFAA32E3C0EAD026170FB8FF5512B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37998F3300A4FA2E0B1597CB33C64A66,SHA256=16EBDCA4224B5EBA3196D8446775AB3D1E1C7B98A46E2D056E53CAB7B5703C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.466{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:09.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59267-false10.0.1.12-8000- 13241300x80000000000000001048137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001048136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc56a00) 13241300x80000000000000001048135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xfadb35d5) 13241300x80000000000000001048134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x5c9f9dd5) 13241300x80000000000000001048133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xbe6405d5) 13241300x80000000000000001048132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001048131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc56a00) 13241300x80000000000000001048130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xfadb35d5) 13241300x80000000000000001048129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x5c9f9dd5) 13241300x80000000000000001048128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xbe6405d5) 23542300x80000000000000001048142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BF023D62336D50F632D9CF15114C563,SHA256=267064738064379179AA4B5A604768E6FD24A4AB5AB7C5C651ECCDDBCFB757B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350067C8B5197F7B4DB58C8F818E084B,SHA256=E2E0C6D43AA7497A5E802852308C8D083AE4EC51669871077AE4752CB0535F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:14.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10121B8A7D5A58AA06045CACAD00161,SHA256=523BD0583F7E9F59DE26027944FF31B81536745A6657B75AA4A56ACCA0D44EEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:12.629{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-62171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27BC7FCAC362C14A4E3DFE7D3804718,SHA256=A28C7D99B71BC537E42E6A0ACEC8E783BF6CB322EF3481902C6168C2CB430902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52EF81831803EC4748549A82235DC03,SHA256=6EAE69D5DB417FB2FF547255F00A9977A62B4765EA8B8E398B4BCC29AFFACD09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:13.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000976706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:12.095{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59268-false10.0.1.12-8089- 23542300x80000000000000001048151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.963{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4298MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D709380DB3BAE19913152B50FFCB6D7F,SHA256=E6B12DAD1C1A53334FFBBF0995310C8C17965AB7F22F0DC43BF4ECB4C48F4F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:16.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63E4612A253094CF6DB814F5D7EBD4C,SHA256=80B42C3FDBC2F5FE3A1A6D64C65A2DE37E3DB4FE98B8A145543A9D4E4794F44A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001048148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfc575b8.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.570{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A320490C477D79B017F0399D4BF49C,SHA256=F55D6CA7BD881EDBDA5E0F2530639ACB17C7345185328C1FEBB5BE5C5FFB49D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:17.962{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4299MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:17.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4612A3DEE565E57DA4E687633D36009,SHA256=54CBC7C237AE380420C6E15C93721B630E5724DEB77BC5AC2AE98D6E14761870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:17.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B71ECAF651049F1CA18C0B7828B704,SHA256=3FB680BBE2D57AF7DBD743A4476415D3A40472E5FE6F186080B82D7B9EFD58CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.952{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49232-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.952{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49232-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:18.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C227C27EC706740448572FF97CE0072E,SHA256=79F93F07EC12C0B0BDAC6498CFE9E0BBB2340EBC3B54846AF826700F03264926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:18.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F3F6C61337D4E6CD6A707997B3225DA,SHA256=F93580F1B9E2FE925DBD95ABB3F4C210BFAA32E3C0EAD026170FB8FF5512B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:18.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0067428E405D09FB804966C57FBB5180,SHA256=315143A6ABBB2FA9FED2085552DAC8EA9A02D275039D467CEFB14BE9B64C08C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:16.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59269-false10.0.1.12-8000- 354300x8000000000000000976714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-51666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:19.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C6344154BA76FDCC1EDD71999754CC,SHA256=57DD985732D2CE56B71B56C8CB9541D0CFA3912B34DC63F33521F37D6BB6BEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:19.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A9567375CAEFC5C9E175B628E12E4D,SHA256=BA73713C30EE6E9832CF16142F16219F5BE57F6C50BF140595E3569A96B3DFE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.753{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:17.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAF0A4F5BC508EDE67B999311B64F8E,SHA256=A74BA06A54E4C67F140759466A0C588CD1F6C0A76A09ADC0EF1CD506F9726B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.861{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BAF384B683D925EBCAB9B405303E84,SHA256=BC18DFB5114F25167B4FCCE295B2718A257D9D2B003E450F6BF94CAFD23654A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500C5A2F55E02063B13D7CFE5C5BE96E,SHA256=E45279ECB52F7738294403E8165677BA9F84195FAD744895EAFA949F623D758F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9C6B50A4505F0188B962F6ED3D19E8F,SHA256=C165D84F41F50002FD082219D9DEDB42B704A9C3B94C87EC054392590D1E273D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.396{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:21.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87714BC3DF8D79029F07DE475A63BA2E,SHA256=4CF324147F30711530D3A602BD9F82DEF3342FD4FCF39A9D5ECC867BD24BA2AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:19.784{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:22.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB2FCF6D004ED09FFFCC1034D5C055F,SHA256=4D0837F4E74FA553C1561834CA93FB2BDEAC1AFFD60FAFC13EB6FCADB9A46821,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:19.620{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50559-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:22.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88CF75961BF5601431614BE0F5303577,SHA256=20BAEA70D555F12E220D7B6F94E865FF50DF1EA7A4E2B042E16DF817E4CFB16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C5AE7B1B9577C901B93DBF0CA56C1C,SHA256=24B94A1864DB66BEC4B23BB0D00D47AE72739FD157FADD6053114FAF060C3904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:23.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E4AD2347F516542D1543145AE3A5D,SHA256=D62A6BD87EB0935D61A462554FAF54B389066274909B5ABDC18DDAFAC92ACD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:23.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F981B107FB12DFE9D3B9418B101B2047,SHA256=BB5E29DB88732F2116F66131906C9878DBD994B27E879B1581CEECD6FF46F3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:24.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465BD5B151E387E18A0695F7C342C166,SHA256=2431E54BDFDBE01C1A342788C1228BBAD7692678CE39D50BACAAEFE0EFA2362C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:24.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042232011793B1E9543D34020B12AC1D,SHA256=08D013FA1A79CE81BE29314CC7CB992F32D93E2E4E74D0BB5757035B8FC6D673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:21.792{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.639{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.906{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35590C9C96010BC936F75BB2ED0D6E9C,SHA256=E36D95571E3C2330FCCE54321D6E385465CD29901A81C496AE18A4C1D4F45DAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:23.224{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:25.168{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1273E0490BCC7ED3CBCB2BC58EAF05E3,SHA256=2EBD5C71835CB12315ADE655BD9923177BC2424FBDE29D1FBDC14A40B8E52D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:22.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59270-false10.0.1.12-8000- 354300x8000000000000000976727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55C9C81CFDFE35CCFDD255CB201751D0,SHA256=E9FCF51D25CD4869C2704E00BEA11C39AE84C24278C1395D74660F46B1EFE74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91870E138190164838C7C0F12583041A,SHA256=CADB887DE6C427BC873D1DF434BA4BB8C588FDCC7F9F6B77129B31491EEF2DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.874{69CF5F33-88A2-6151-8279-00000000FD01}34284036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.594{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB90DF7F97EB000A24F7BE33F6E6112,SHA256=296AB405D2F87ED78DEE83FD0D3E84F9DDB4228824828C8405FE6905E43A92E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:26.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616F5B72F12F85BB4D3B621077494CEE,SHA256=4933BE13B8075324ED1C3F6AA26385985B253D67ED5AD9D04D6BE324010703BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.108{69CF5F33-88A1-6151-8179-00000000FD01}38882844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.969{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B562E45CD7638FF13B1A43BA69D0D0,SHA256=9448D52EB43D9A78A6E33966C73D7B8B35CFCD1CA9E61B7256BAC5582C1C98CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.281{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.484{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD35369A43906C0DAE6DC3C6C589DCB,SHA256=03187E64D4E8F9787EDADFFFF7DD468CFF9951210BE9EE9F4E569B7ED9496AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.187{69CF5F33-88A3-6151-8479-00000000FD01}5122256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83AF99FF8D75EE305C8295844A0B29,SHA256=EF9625F4E5F345F611FC06366EEE6ABC54E848076DC543E36EB8D7E38CE1E925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.469{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:28.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16D3E926357C80C34372770E62CC86,SHA256=72385BD428B69FEE5AD0E4C2FE4094CF6AAE640A7BF0B5BC1C0AA73E6352F527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A27FA10D8A00E3FCADB068255C2333,SHA256=E73E55E0F358C8AECDE4A9E04B5B83CAE827749104E5C06C99B6D6C4BEFBD608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7CF9FA928B0B43A004D3682E2F7D0,SHA256=ABC67DAC76D693F703B3791CE43760D0FEFC96D41012A01B0D3005A8D0881DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07476DAA97103EA2DEBA1A400AF3971A,SHA256=C9F0BD4896E2831FE7CFEE3F1A3875F863377B14CC0CB1DA0FAEB122CB385B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0146DB2FA312C66635AB53692EC2B2E4,SHA256=9607E107179FE4CAD5C4C181E0C99D0FE5574380FCA7F9C0373A6C0F6A758DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.009{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.343{69CF5F33-88A5-6151-8679-00000000FD01}40283208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.171{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.172{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A4783B1985C399B425A2447F1568A59,SHA256=1BA1D79A2725BA277C7FB11C91D97AE251851253E8018DFE4C15707B8940DEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59271-false10.0.1.12-8000- 23542300x8000000000000000976821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6717F145ACF0D7855AF7D92558A9F2D5,SHA256=4EF46DB26EEB9897B09C1238E63D9D6094E3449C41CCC91EB4552FFE014FB458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:30.385{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0E0A01136F45B9E4BEA4CD381C430E,SHA256=008C53F48E97E33475E1E2557FACD75E58CE9488C4EC81822D61FA53661D6738,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.759{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:31.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA2C74210E864C6911CF60F01D651B7,SHA256=437E56AE698695FBA5F9260AA706FB73F626F3C6A2D853660C97E141E21C2C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:31.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254091AE2676761E7C2B77EDCAF72887,SHA256=D331E0805D0BACD6A10CD71A49927E6310B953386C268ECBEDEA86A87B25CC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:32.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EAF7BB114A833DD295BA73E0470EC6,SHA256=8539E43AFEFFE7B666D231C316EE481B3DC5364EF7EB8731724F067E131604D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.396{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CA7CF0EC1237B45A3368AC5523E5E664,SHA256=E2A97408C9B246EEC2A0A9B16F4AFFF6694AA8025B83E0B3D5F84037D6D4687D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC4221673ACCA769505FFBD787F1F7C,SHA256=901331EA8F784B73160C37EBFAEEFE6C5E06F1B9E9072DF5A7D49AA1D7F918E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CCE4004D16A5B48B93B02FD876409C,SHA256=433E985AB3652B65C9F67604524E8DBB4944540DBF524B765368B90F6DA014A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:33.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2914E28AE00F26234B14DE0CC507F1DB,SHA256=D78F2D0B1481D7F8E4410D017D2EF67AF354E3E9D24BC4B5DB4032F456212B77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.750{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:33.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B58A164B2F5F73343AD3DACD977E466,SHA256=5A2C6BC879791BD24957AEE237157D4D8A5A645E7147CD2D1414E2ED6D0E9282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:34.452{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340C0BC1079397BB5D3573F0DADAC2BD,SHA256=B5B43F3D765DDD5DD56187CBA7BAE73297312793C75369F387917DEDF33598D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:34.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016724FDCEDD9EFE9D3A4B356F6B039F,SHA256=73C3E95691A01B5D718AF78ADD38CA9EADFA559BD4A57529D6CC5F27684064A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59272-false10.0.1.12-8000- 23542300x8000000000000000976833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867281B8875542AC7498CC1EB18E51D4,SHA256=8AB59187033E28D6338B19E51389E342209E364778E88B676A7D79C97D6C1247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6030191F126017D1C99B3B9895CF483E,SHA256=4B5AFBF1463D2B8832674D4CE648D49C4A43DC2E7BE790F8A7EB8A8725475DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:35.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA71381E91C5629628324397047FB6CD,SHA256=A39D893DCB1E81D8393A10066E15E2CC2B7BD815459525D76F5C55AF7C8A5F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:32.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:36.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A6922B79A456248C18574010F8F893,SHA256=44770DD0D75AC17FFAD00CF841C5A483C358ECFC56D7A12A4DD73E2211913C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.590{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BA82CCA7A1280BBB18068A7FDEFB29,SHA256=70549CC59DF6B087E656ADDB937213F733E73B00FFE7F537BA6473716BD25085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.424{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153C20CAFFC0CECFC5EE4955114A2625,SHA256=509AED921EAD0E75BBFABD606F1BEBE22825ED0CB111DB840A30738C14860307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4473CE2AD6A116006763E55BE3387850,SHA256=E33DE66A8A12B0CE51FB1C9D369D11025B8961244600B8530C22E9D165670403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.623{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87384BF350ADDD1F6DD11264D6DF7138,SHA256=C1021444F5C4DF6F9EF9B97BD1E13551E0F9E2C34C8E7F1CEFD98753F968995D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.734{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2378847D51F6AFC7113E84CC3799F6C,SHA256=975C8DBF4046A5D7067D905490D7126BD638DB7089866EC008F63BE617A5D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:38.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E14B69152476DA31434C1CCE56ED41,SHA256=75F964E7FF00AC124030A86C1499EC30C470527481E1CA1DA86893274BE80A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D705E57D42F511B8EFB49A16D2352,SHA256=3D9B0135B86E94D604B85EB650073FC1195F7E552D0D75D1B031A9839EB3A1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69B7423167E50A6BDB4207FEBB21752,SHA256=0BFA75781C48347363ACFC6BCC771E4F49CF61129ADC4E671CF3D04074F51108,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.637{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.100{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001048220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:35.954{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0CFBF311541E0086CC950C434C013D,SHA256=30C7142796DA6FF1C99DAAC246F76A031C4E846E05871BF8E2548D43568D1E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70D487BB1B75D2C001173EA208B256,SHA256=24D1591837C9B1E13F2262F6377556C75995AB6589534BC854E6F5C164400684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:39.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C536666163C4872C5B320FC107C4CAE3,SHA256=AD924A158803B14BE1A4876C4F610A2AAC31FC46F63B9EB8A46063CC5383430A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:39.185{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B26A23067FB8B657D472F48BCBBD64B,SHA256=35B6493874EAF6F623C20FB646055BC38CE69CDDA5F4E92E8D854337DB630F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:40.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9AE5C700A487F0DE8BEA108578A3B7,SHA256=55561F8298140F81C7E44570D04375B1CEC615F1E6A6154EA1644C12F583A78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:40.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAD07BCEBAAAE9921930293936DFA05,SHA256=B5A8EDAF4FADF3D419BCEC82C24FABAC10FAC6A63C88DBC78B131EDFD7F779E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:36.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.914{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:41.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D73E4EFCEE76DD4A4D00C9E0FB36D35,SHA256=D2C8C04E6EEEA680EC7CCAE9BFEC748BBD08DEBCF15796D85F912206F1DB83E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:41.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECAA202434D64C0D895799D1E29D7C9,SHA256=211DBAE94C32F7746D07ACC5499E104173AADCD0CEC5812D1C9757423C4665C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559715095D294CF3BD239BE8D8861D99,SHA256=254F717A8E1847AC92D2A1034907B8F560CCEE96BBB397FFF421303324CB9F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:42.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04AFAE9EF6E9E2D3243AB22055CAAB4,SHA256=2B60EFFC5DE6001828D276E11C4F57D0F03B1190F6B9E337FB3C83F5DF03F228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14092917984FEA1550767CDF71E1486,SHA256=2EBB8208DAB638731D1EE07D85B3649C292CBBA7F70647CC11B3571400FC7E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59273-false10.0.1.12-8000- 23542300x8000000000000000976862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DAC8E762C58F91A409223EE51BC637,SHA256=20B1F220C8DDAEE8F80D1890268AD0E43185939C04AE57B558E5E2906B5116E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.933{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779302C0F1108ED18DEBEA01B6664A76,SHA256=AB0E475099CE65E9C55AE06DCAEA90DDE124FD18BCBB12E8E6B2B57D233095EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:44.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B876DCEBDF241BDED7A11318F6E627BB,SHA256=16CB7C8EA1AFF3C092134B8E11B5200B69C9EC9120855AF26D5892B3BFEA86E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.748{5EBD8912-88B4-6151-F379-00000000FC01}41206540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.565{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:45.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92F4E0A5B9BB14E05D29590DA62C904,SHA256=8479D8FD53B5AF4B4BF83EBB765E4CBF5EE64D8E509EE6CC852BD7D7E13129F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.719{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D65872640752695236760C21E45185,SHA256=00E42410A89C1DF4179D325733A367E47A73CD2DA74C133705D985809B3EA770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153C20CAFFC0CECFC5EE4955114A2625,SHA256=509AED921EAD0E75BBFABD606F1BEBE22825ED0CB111DB840A30738C14860307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.117{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD159C6C1F3C1D033DA0DB926144C522,SHA256=19EC15C05AD3F0E738AF9A25E3D180F4966D96851C3E47E75BAF5D910DB0A882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:45.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B0D64E55CABC845D4627B9DF26355A,SHA256=C087E16A636D4BCC16D5B6163353946DBA13FBAE0385AAAF8A154585E579CED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:46.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270AB08BB2704E934C17DAEADB69B2E6,SHA256=D7304EE5FB7F8488A980BD9C2AFD80B5DABF5AA9E65F7A040410E8F62A86D47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:46.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D65872640752695236760C21E45185,SHA256=00E42410A89C1DF4179D325733A367E47A73CD2DA74C133705D985809B3EA770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.871{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.809{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:46.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA073ACEB0D76342FD40C44EBDE6FA17,SHA256=A854011B292C3A076C8D0CA70E5D9973C1D27028C48DA1A867CB08DFFF1879EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59274-false10.0.1.12-8000- 354300x8000000000000000976868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.384{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2F286FD9EF2741B47C4B6A979BD9C,SHA256=091C193BDAA92E3E04688C216EBA3839F9455BF4C01462EA9E7F0C45E0294B8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.166{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:47.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A268BD111BF4EE740CB83195EEB96C13,SHA256=94557DF9F458C98C64A3B77E76F2982B00D4B06399B6A5498A84AF6D0049F9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF9B2CA5744CC8763313CE11EB55C404,SHA256=BBB8278B0675C904FC791F2A68D6B57FE4280B8BE09A59D0339E819E50FEB493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:48.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458A253D5399A29F117A5CD1EF13ED2A,SHA256=6E9C572911BA3D54E4C05FD84A9CECC13493BA531FFD9C21674FA5F8118DFC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:48.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BE5050928C5D29D4A74C62846F6FD9,SHA256=61C021A279AD710A74FDF034525781460674E8375BFAFA8B7A6CDDCE1EA91A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.930{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4299MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E97404FFF5AB837A824C671816607C,SHA256=813FEDBD1C9E0BD2074735DE046D6C7B443B6C29A6FE42796961761678A2FC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:49.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41426D6B4E4A326A09CA1E23224D081F,SHA256=F00E0DB15A80D6C1747825E8A963232E9E203C00225720127322EE72B11B4685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:50.929{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.605{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:50.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C262EC8714ADD8DBB1F5DADDF5C228C,SHA256=3B502E4EF03E60C7DFF3BDB722A527C2319F9A2C80C2E6FAA23770A7FC7EA8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:50.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C946C05A1AF9B765BD3147B033C6F19,SHA256=72FE49354D001AE31572896F5315AD99265806727FEA760D8C2975B3817DB309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D5BED405005E006EACB50456D079C8,SHA256=9E238663C7A6A34F00FFFE3449C901B1380E6287150E0F1326CD9243FE0BF437,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:49.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:51.215{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB963D9E4EC6AB8F92928E7C8902CE8,SHA256=0698CD0D39D8DCA4D21E7CEEBBF7E60C2733D978EBFC19EB63EADCD0E944C257,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59275-false10.0.1.12-8000- 23542300x8000000000000000976881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:52.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E068F99F854348D72F75EB544C956A20,SHA256=94C53074D4903BC1420792707C827E761E72ECC8DAFA41A501BA714B18CA175E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:52.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D99BFCCB42E08A237B6985CAB38BD,SHA256=705063C0AD9BD76F0225E8661A25057EA63779452937EE8F17E4094261176CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:52.678{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF4226E834B9BE2303757232BD0EA28C,SHA256=D03EBE33DA74259AF293E5B07EFBAA56F79AB695D7D4047196E3791B6F9B0582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:53.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D015A6A9B3BCA882CCD9E4CF309E2798,SHA256=86B7742D8D20939285F1709BD7FC79C148B243DAAB6E3258F91151393F412AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E560933781D885E4C080635C9AD83909,SHA256=7F3FF57E301130171752AD4D430B07BF3FD2EC17D15ED829174E5F1388E9C63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A404BADD2DC1855E94FD134C8E4CA0,SHA256=4D74DB54903348D66B4645E9B4BF7DDACA00E5802C1E4711EB4F75F89F14296A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AECAC94D572765334746BDC7CC3804C,SHA256=8CF0E1B4BDBFFC4087C0D0E23E3FD5FE6D6D811024FD498899F2806F1E188E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:54.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5040F9C9F7F1C04EFDE06AD164DFF2FA,SHA256=84304E33C90EA5F5F99113333EEEDBA49217867F15377F2427933B7C68158A7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.900{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:52.167{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.383{5EBD8912-88BE-6151-F679-00000000FC01}57046008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5510C53E6A0E3E47485990E541DBA7,SHA256=3318EE0B8FF9F441E78A0F4D9F07F320BBEB16C6DE72AD716263452C59AA77DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:54.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87AF7320F5C51206B54EC242A3CD71A0,SHA256=AA00316BE273C089DC030F575BA4464E0F8C0EA941DCB84BAA1ABF55AB70FEB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.047{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BB7C4D1237E6D5F3DB1FB5AAAE2372,SHA256=0A6B3A24D52CF1214300AA260C0426F0878AE72681B31D1FAD7DBDF02892208F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.390{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59880-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.517{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4256F2533B23EB67C51EBB0823C6FBC4,SHA256=E25F6F4567C6C9CAD0D94BE26DE71AE27484A9C024F34EE521BD0B2DCD5AF1C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.131{5EBD8912-88BE-6151-F779-00000000FC01}33805884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E560933781D885E4C080635C9AD83909,SHA256=7F3FF57E301130171752AD4D430B07BF3FD2EC17D15ED829174E5F1388E9C63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF82E59CD4DA1F80080696105C2131D,SHA256=52729722E35FCCE232A5A2A7639D489249F17ED8314D2FCC82E98D72FDA35E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.530{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9AAC7E7526613CEC26F426A39A5E99,SHA256=0986C526241D34CFBC15DBE1F87DD4933D0848D44A61B64F8F5CC3EDBF4D762A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.446{5EBD8912-88C0-6151-F979-00000000FC01}39644680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD8132C10E9AE6D5A775B5216496810,SHA256=36C2E26B998F5D38269A85D11D9D00CF3710FF996F5F26982B134F6111B0D50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AEAB7D352DA4FA9E27976D9F105C6A,SHA256=ACFA1F042A10E0575728A69172AD37191EF4765F3E1B308E75A807D79E86A7BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.200{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:57.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4289672FB40276FCE4F90D8984A9FB3C,SHA256=42843A302CBA4C6C9BA58C2DB2A50E7C53D09FD25DF044B006FF15FB354CE2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:57.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A025449D18ED4949C97D37AC59DD4B8,SHA256=A5B5CA3590DB77F00591964ECA0A82B0475BDC7C7CCDD138B56F60BEC89F4E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.791{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:57.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E194E98E00A6FA18A5B0BB6788A478DA,SHA256=C37CEAC721496109EDFDB13E3A6492E784D5BA01A22391E74ECCFF287473AE15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:53.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D98BACC6E974A9591D5C12865C439EC,SHA256=7E8A9857FDD998881B685176BA291C8D2C3C42481BCFF3B5FD06BAC0FC7DFB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:58.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557D8C85A1588ADC24F3097ABF7D9BC5,SHA256=B009C7278EE51B4D2BF5CDF9723BC3749DB61EF9A960D2ECBBE81031716EFE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.228{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:59.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBFA565E21CB899C8D402E471476686,SHA256=16872FE01EA317B96CDE7128125D88F38A706B3EE5FA64D0D0C6038A6E1C0E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D498827454FA836F4D977F5BD6F7B22E,SHA256=EF74CE8DFA675F007256562F2296286AB07C918859E9AEEBF5B41861A8B224AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000976921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000976920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000976919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000976918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x8000000000000000976917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x8000000000000000976916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x8000000000000000976915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x8000000000000000976914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x8000000000000000976913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x8000000000000000976912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x8000000000000000976911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x8000000000000000976910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x8000000000000000976909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000976908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000976907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000976906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000976905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x615196d3) 13241300x8000000000000000976904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x61519511) 13241300x8000000000000000976903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x61518fcb) 13241300x8000000000000000976902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x615188c3) 13241300x8000000000000000976901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x8000000000000000976900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x8000000000000000976899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000976898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x8000000000000000976897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 354300x8000000000000000976896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59276-false10.0.1.12-8000- 23542300x8000000000000000976924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:00.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8C7AC11663AF48D31EEA6ACC0DFDF7,SHA256=6100B4B815E826FB5ACCC80A119521694DC3F5DAA2E8CBC677915F163A7CD3CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.108{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:58.628{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:00.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0CBF897F2BCAB2B94FD7E96CB50AE6,SHA256=B566CB87720883174AC51E1851D40F848AD6D4447C70835ACDB168AEE1921E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.754{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:00.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C7035988F90B31A2BC1C2707BDA2004,SHA256=B544537D72EAE60FC4D11DA1B9F3E53B90272D557A000BAA13AFFE466A152FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF72538CEBC5B1481C9DCE7679ABFBBE,SHA256=419CBB577DA6488083731F60ACF4C0ADB67B26B70BC13C0B08A4F3C6D1F47E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.543{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-64585- 354300x80000000000000001048325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.541{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59035- 23542300x80000000000000001048324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:01.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113E745820F9E35A818E4A4017894DAF,SHA256=6F2B0B11E6F2E35725DFE19B7E7C9D6264F77EB0E4C92F02C1721C0D608D3B1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.480{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-59852-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000976927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.480{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local59852-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000976926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.463{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000976925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7AAE541B5E33BA88C39ED0F1BE24073,SHA256=C77B40073D8A268BE9D6F8CA133BF469C14422AC9C9EF7F13348C849FE43DF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:02.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBD5DC346B43D2CD9E477CFCCD61995,SHA256=214D93500E3BF95AE46C3EE5BED3E147584438099D5E182B862A9A2FA3784B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:02.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D922711EE2E87A4E421C17E97A241F2,SHA256=8FFE1BE9ED408A0F706625F865B9E358438ACD8F8FF6D9B5C3CEF302E9A0AE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.612{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:03.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A31AEF28ECC120ED77CD27603D39F6,SHA256=CFC6B6CD206F7D4D2DEE217B7758E3F0D6A9816B5B597635D930ACEDC87CE429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:03.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1ED182E643CD02034FDB563B58BF2D,SHA256=846AAC5EE16688D4D5615B2901767B9D7EB1F386C4956FE1F8E7F7788C80925F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:03.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D9C73BDBF1BFDEA97CCE6CADC7CBA05,SHA256=BB621A68B6DFD74D4B6E3E8DEB6554748FCBCC7D825B1C2AC1CF9396BB8CA113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:00.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:04.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1F3CFC437F3F107B5076C554585C37,SHA256=D784B7B63B4B28866E59A6718F375F990B8D005D2E360A2C6A491C30344AF376,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.858{5EBD8912-7F30-614D-1600-00000000FC01}12682712C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.858{5EBD8912-7F30-614D-1600-00000000FC01}12682712C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF8C19CF23D18984C71B27D3943909F,SHA256=AB761162C068B7027BEBA4CDB8A3B4A7C3672E3E15F6B52BD64660AAA9BE6763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.825{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59277-false10.0.1.12-8000- 354300x8000000000000000976935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.159{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:01.734{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF50AE958E4CB59D774440AD6FECF9D,SHA256=A72B146410CF423D0348EA400369217EBFA1BE75B04DCA7EB61176E3922CA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39D548FB071C2CC13C1C273EF4A58A4,SHA256=1874E9233F03CC9C1AFF7133A2A56C43DB0C7B983C4362183FA477A37098093A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24F41C3A423A054E7D3E43122F23249,SHA256=117B767AC9658CDF1B37B2F9B71BBCAF8680C3418FA475C4AF077A4BCFADCA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:02.876{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:06.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1176FCD8252E057A580F63D93A286DCD,SHA256=4A341557251AACE8FC304981C50549B15DD7A9BF5848936118B19583C4DFB63A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.993{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.656{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548F86C8A8593BEAA15A285B27A9710,SHA256=164017B61331AAEC694A324A435E964ADF3BA4A8DED40D7B5260E864F79F2939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.294{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000976942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:07.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B34E015498E7DCB636BBC6D89799C8,SHA256=343A9CE9A848C916057FE31D94672E23952FE678FFD2F057121060D2EDC118E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005DD16DE64319B139E9E612E2CBA904,SHA256=FF3DDD195C8EC8AC26E4BC53166070D1455F55793F7FFB698A633662547DF9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.987{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49243-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.987{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49243-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671B720D86A09CBF2AC46C433D09A513,SHA256=CD872D9992A6D16642CE8C89679EC718123C8A295BC075A88BF6D21662FD0C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B9904680FAC864DC7A1C1DC450A69E,SHA256=1126822A1DED0FC28E8A3BD232A7D3F0FED54795665BF8ADA19A990B02A23300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.709{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EAB4B44205E790BDED0F86CC92CACD,SHA256=F1E90F5376006AB7AD93497749DE4789E3B8604BDB9D12AADA87DD53F96240BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:08.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B66A96AC8333187C69C93DC91EF8A78,SHA256=08F7DDEC8D08DD5D7D0A0FC6ADE02BF70F5A2C5C8B19EED096B91420C4E76145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.472{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001048353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001048352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001048351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001048350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x615196dc) 13241300x80000000000000001048349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x6151951a) 13241300x80000000000000001048348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x61518fd4) 13241300x80000000000000001048347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x615188cc) 13241300x80000000000000001048346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001048345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001048344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001048343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001048342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001048360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.693{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1D1681F43911C16EA409EE3CC6DF90,SHA256=83D09F8F9C709BCB0985627DD99F68CD329D2158BE78FAC25841965E43021609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52376-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.855{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:09.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324E633A3D2863198B921FCE2FC879EF,SHA256=25673651C404B1E98907F01640C4991DA00777CD6FC13C6B530A1EDC74ADA7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.763{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001048358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.460{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-54372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.710{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37083A32477CA2F950E9472ADE43DFAC,SHA256=C10E296DC9B35C73450FEDE45A84FC77E01F428E374E736708AC29874BE9DEE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:07.731{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59278-false10.0.1.12-8000- 23542300x8000000000000000976948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:10.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6A2D56CC4E0FA60E80C88E66193292,SHA256=8B23FCCDCED2AD93F55F2298DA4755CA2DF59EA48985F4BC8C510260DDC600C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.769{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-57218-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001048375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.769{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local57218-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x80000000000000001048374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001048373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001048372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001048371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001048370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001048369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001048368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001048367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001048366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001048365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001048364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001048363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001048362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.110{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001048361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.110{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001048384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:11.714{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A9AADCC761C515F14EF28204A157E3,SHA256=AA100A9DC25C54EAB42FAA60780E2195B4704C7591AF81478B4EF54F53DC15DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:11.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF05DB3E58AD33F43C7E4E09B416E842,SHA256=7C2BE0F0AB4894E700F0294D9006A61DBB2CCAABCF2EF2277330D9C1C3E385B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:11.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFE9224B48291A82A985482382C2C12,SHA256=8BFA300641DF4E8AB9B3A49F94E983FEACCEA84B021D9C6BA0CB23330F436BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.812{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53228-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.812{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local53228-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.810{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49582- 354300x80000000000000001048380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.810{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local49582-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.809{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57733- 23542300x80000000000000001048378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:11.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671B720D86A09CBF2AC46C433D09A513,SHA256=CD872D9992A6D16642CE8C89679EC718123C8A295BC075A88BF6D21662FD0C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E2DB695F735E1D7BB267B4A32201B,SHA256=D0A7E2DF850F72A238ABE84721B74BAF0F5182E06A10BFB2C1EBE7267D0FB8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A5554F08E88237BDB102ED410C4129,SHA256=ABE9A502F485B6BDBD5A54A068716CB552906D8ACBE2D9D73740A0AE67FC027F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECAC8390DA4F9CE924318B3914601967,SHA256=B73CD60776F16066248F49B593B642D799C4486AE2CA9BFEFE2D37E5AD770C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.085{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.823{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57621- 354300x80000000000000001048391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local58669-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58669- 354300x80000000000000001048389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-58669-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001048388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57936- 354300x80000000000000001048387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.821{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001048386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.815{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53229-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.815{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53229-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:13.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D091CA033A79E626EF1049FEE8EA53,SHA256=89C7B78A97C6E058A5889D1D9312526BD4527FC8138699D827DEC180FD8079A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:10.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.493{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65659BF80AB5583B4F684FBFC674C61,SHA256=5B1AE3BE35B4B9AE7260963BE82D95F75EE3550284A660CB2A1FA784AB5AAB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60ECCFE2D9DA94D1D9AC699471A51C2,SHA256=81B78CCAEF5CB060631F788B4FE85D94B67FACBB066CBB1978DCD5550967C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:14.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0FC992FCFE1DA2AD230B56DA4E5265,SHA256=64700DB2486578AE9DCE94B7C6B08FE62C8BE113463857D3F854E0CCDB41E4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:14.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B96CC9D46CE324DC0EDE1EE36FD80C,SHA256=42DF079A3E410AAFF20BF35AA60E662EF18218456AABC19B6633DC5FFB627ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F16025F1589D71C58AB1166EEB9622,SHA256=9DB76D8AE39C514101397479819A69FD7C7468AA7FD0C76BFCFEF863D1941917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:15.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB815D55AD04ABC513EDF44A27F590C,SHA256=BFDDD6519921CB473F19E97D4DF83548E89C8152EF0B49617CBB2D9180271EA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.724{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:16.845{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EABC6F164FCC80EFC9CA5B74147968,SHA256=CA3E8775FFCB409C64EF0462CD98118AA7A18072301FB2DC4A12C059FE126533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.122{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59279-false10.0.1.12-8089- 23542300x8000000000000000976959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:16.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF1A5E951836DD991977DB0DCF67E49,SHA256=D6E019155684FD29510CDCBDB8C9B612C4896F642C1DD03AF209569F16B82861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A1A4FA9ACD063181AC4A5E7E97D3DF,SHA256=CA87BD40C38B5FA11865AB53EB9C2C750A52A9BD546257391B8492B046B923B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.042{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.903{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59280-false10.0.1.12-8000- 23542300x8000000000000000976961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12645B4326575F7C8F11D7E2449C3CD5,SHA256=2AB841E1DB309137B61BBD914FA2A8CB4214064FB15EFA0C164471AE4C98A01A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.969{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.969{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.910{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8633FFBB68A5B7B05D90F8890D30CD74,SHA256=11ADB6F9606919647E2D8AE7E82EFAFD4A03D0539793263EB36780C6F859875C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87756B633F8C044581A69BE51FB74BB3,SHA256=1C9382E6A926611BA5544BD06ACB2C8099B6CE3A2B4F2AFBA580C49E47B57F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC00284D2A12A70908DED18EF743872,SHA256=12E40D005AADD21D2F16ED153A08970252170B34398B46425B9FBD9951ABA620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F06E16F6E4E7D0C1F9F36F998360C1B9,SHA256=5463CD28DB4C38BBF2D0784F5E926889BF4DB21649B2C60787411C4FA3548C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EF464718524AC6FBD408386A7B3AC2,SHA256=3AAEF277BC754977403BB31851A913858D822B2D16709C29FD525F92E4E5BA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.482{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4299MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B56D11202AB43F61C84253E94D854EA,SHA256=64ABC98D0A1660C6C4670B2F5AFAD2716A074FB23FE1D0606211F17577BC4E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918D36D1BAB2D7E16412308C9FB4BDDC,SHA256=90B007FF5466D082B8B793D114219839D5B63314FD4AA7B42777F5ECC6E25601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:19.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6688734949D690BDC91F0B630A1E26D,SHA256=0F7B9C61D82BCC76FFD326AC65B4F975BAF06D53D546D512462CADADDE05224C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.481{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:20.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5814557A2C470F75667A37CCA520DAA,SHA256=92D18B47D4B1BAEDD86C211D8A1EECDEEC326FFCF6651F709DEEEF9A8C0D2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.227{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC00284D2A12A70908DED18EF743872,SHA256=12E40D005AADD21D2F16ED153A08970252170B34398B46425B9FBD9951ABA620,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.145{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4378-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B431B95CBD94766F2FBFCBB893F1C355,SHA256=E4A6CFC900DE2AEECF61E06E60F9E8B5B83AB7775E6297FF0861F8924F557B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:21.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4F3D7B22E48375FF717CD14824CBB,SHA256=4EB3E4C1CD86371C7A709F30A2DB9B0674FBA562E56585A8A2EE40557D76A047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:21.149{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D9BF176AFBBCFBD60192E22FDF1E74,SHA256=277E63AC5FBD98CF872ADF17F39ACD815C39C18689143FB52E7BBFC1ABD1791B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.967{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000976974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.778{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59281-false10.0.1.12-8000- 23542300x8000000000000000976973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:22.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162C020C81279F4070E7869FB2365BB5,SHA256=8CC492FF27E482313B6DEE8408512115A99E334D4B48D66FDFF8D6D66252889E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:22.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F1BD493224334E6A38722D9B9B6082E,SHA256=40579BD76EC503C807836A59BB2A65799A21C1B1A0082914C920FE277D50E8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:23.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931D9F62959D0A2058F866F6030BA45E,SHA256=94C7BDCAD379B039FEA5A948C4AF3BB6B53D346B6900C80C33A8073FD04D26D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:22.244{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:23.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A152E1B57BF2B75BBA3437E0F2C9A7AB,SHA256=CA62B0F481C1545E761685BF0AC4FD6EFED29A79D825C14EDE417DABC9E78246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:24.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE278B436658F84A714D1263FE76F7AD,SHA256=A19C1CA9020DB7234D217F4179C2314B26CCCE091D62E2EED11878C54D42E28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:24.145{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8DB86BF2BC82891298889C81427239,SHA256=4686619F833DA45827FB3ED7BE12E67DEB154EB9D289FECFFF13D90228467446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:24.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91E9D09AEA54796CAD289DBA1D68A5B,SHA256=5308B9B1B552B41BE080545690D54378485BE1310A7C9A8847881FE25554E4B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.901{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86A49F24EF344114D097E5B6666A9D4,SHA256=F0D3DE59EE4F606995F7B88DA6F260A5D360F82F6D4942D5C064E3D66BF3DD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:25.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981C9B8FE78CCCE39D83B050BB583C29,SHA256=00B426FDEBA03AB4C96421C8B672A54EC17A451FEB51A5305E85A7F87F6A0546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D2A9239C6D13957B212A75C1F0CE4A,SHA256=8ADCBDEA276F77E6693FF7796F743377DBD68F9C8F74F235DACAD7034D448371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.822{69CF5F33-88DE-6151-8979-00000000FD01}3208372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:23.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55189-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:22.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.619{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.589{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC657F1712B8CA7F8D573AAC6A7BB2F,SHA256=4A4D7B2C3C63018E0D017A885CE23420F8D399441CCC45114E9A4E6F0C98DA95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:23.772{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:26.160{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025085DB6F309E4325C2AAA81D6358A,SHA256=1467509AF0C3FA246BA700FEA2DA3083A1C21D502EE39322946C5ED5297BBA7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.150{69CF5F33-88DD-6151-8879-00000000FD01}34083112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6062B4CD6527B3C7AAB2112E4FC3A9AC,SHA256=089528133E18987622223E36A6A22AA696399E7FF716ADF536BE82D5BDEF77DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:27.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CE55D283F765A7237598638873722E,SHA256=A66B92331556F695F60C17D171DAE123569A0C7B55B75A37604208CEF9B86481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.964{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:24.764{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59282-false10.0.1.12-8000- 23542300x8000000000000000977026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F4205B5BB639DA868F236CC729C2D9,SHA256=3D151A054ACCE435B941EB1788CB9CB096A2B42C9930CC8D45F00EABB499AE8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5B60FDBD78B3E1FA3ACA0255D5E2D,SHA256=42F5E04940B7D305E911BC7FECBD981C0AEFE5865EFA4793B68F2E824F9C6213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DD8BB28B67CDB1611A3E5FFDF574C8,SHA256=503495DAA659EB054CEB554914205036D848C31BC4878BE6C01A016CCDFFFACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9479D87CB12431F763E974992345CDC,SHA256=C09F9B89BEF782838B43283EEE1C2E32F173EA3A99859087C01F6CAD47C67282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.065{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.651{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9AD7BA696F8CCC05C07AB1BB603314,SHA256=BF09C7E97EB2B4545FA7EA1CA4110435E674AF56E755D3096A7F7CAD20D0C7E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.166{69CF5F33-88DF-6151-8B79-00000000FD01}3284012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.557{69CF5F33-88E1-6151-8D79-00000000FD01}23762548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.432{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650D206A01BA9135625072F4BDA61C80,SHA256=32766EDC721E0B87B3F57B55E8FE6EC884FDABBA112757C4FA89E49D9AC1BFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:29.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724C8A9DB2955079B2990F554D15B05C,SHA256=B0B6857AA902BFC47BD579F240851DFD2D08B5A081F79F27B764CEB15685949F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.354{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.354{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC0B7F9A24CB7BB3F5ADD62B8955ADB,SHA256=43D8B350476E174EF3D477360C29ADF0640EC1BE1F6FB3723ACB659FA29014A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.518{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D7A9B66A2403C0C271BBF427600C5,SHA256=F73B2AD91BB9143B74328B59E9FEEEB6BDACE1F50FEEE8337424ABD278582A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F81472974BC94CD6A8E94C30B38246E7,SHA256=0EB18313C270A3F810BC4EE1DB1EF1DF6121E9FF80E85715D1BD4A54C7D2E471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B55B3E7521D24D121889BE6DCDDE99A,SHA256=34587DB94449ABEC9E6D4E21088888E834A62DEB75448493B39CA1D031F091E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B9FFFD39FE447C8C264F4A6D3AB426,SHA256=0A400668DF1973124E96884F9EB649A4B7CD7B887AD485AAE8AF5CF0DA64B9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:31.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7AB9D3DE7E4FA2CFE813CEAF4A92D9,SHA256=7923A7FD7666E9E809C0D3ACD50112BA54A800EDB53E2F7983FEF2DDAC2168FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:31.311{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737B4E8CFA3E8C828912196E78E6C733,SHA256=5154FBDE57AA79309438755EEF56B94C44E1D94EEC1DD6DB1B702CA32C19BCFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.984{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.660{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B55B3E7521D24D121889BE6DCDDE99A,SHA256=34587DB94449ABEC9E6D4E21088888E834A62DEB75448493B39CA1D031F091E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.314{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEB240A1E35290399730B9C15602A2D,SHA256=162ACD66C15658044F51AF421815E1D11B5F5D65CF8F9DAE8AB0DF0731507D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.479{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=88A5201975FF8D756DC52C9621C992F7,SHA256=272386CD4EA52FC008B9224FD86A24F0AC383ED0194302C7EBA1B1DB134E6885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:33.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907397DF3C78BFDF9AE55F121287D03E,SHA256=07B6691631F0FE9544494D915B86370E1C0169322F542C389714E4F675D1F944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:33.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=514115CF6FFA4DEAB8C77A05940DD7AB,SHA256=9F44AEF968494419AA41AB1A5A1F3A7C8CC04A4E75A566A48E1A7CAD9F27B268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.905{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59283-false10.0.1.12-8000- 23542300x8000000000000000977078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:33.057{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1671C18494D66BA8FCE0DF529014D6BB,SHA256=7A59A00B43EB1D0481BCEA6424F91D6466AC39B55BDDAF6045E8415229125800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:34.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE81C56B410D861D0BE7A5A24D812CB,SHA256=4B3DEE49DE7879EA40229132D8FEE02A5C1415A5AAC862BE854F4F3370CD1796,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:34.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AE0C9212E5D1D5015A7A68FF512162,SHA256=A9E28B6B00EDB2E66536F8D65042E03D52A456F25CFF09C70C26E5617FDB049A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:35.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E01435452C118C63D5AB735F33F14D,SHA256=B7AF515D788B70D5BF1D5C6CA7D9A8980609C0BCFB8E538361B4D0ABCBC30AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4837728003770DEBC7F66303ED04FDFA,SHA256=DC3BF45BBA1C02FA1F9B1E43B988466DA3AACD87879A1FBA1CFD1BA0BCFC4070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.409{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4267BC847CD001A4B492ACFA47ABAD49,SHA256=FCB89483EC97D0A9E529BE43DCC0301C336F3763CB449E1B3BCC5677C86BAA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:34.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.597{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F524D105A21847208736F22A96B0842,SHA256=0AB2669EF4AC633D04E3233ABA07C4F54AC983F17E4B8E5D49C00CE52AF1D783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E9686A0A3215A6D58B0021980B35E4,SHA256=2415120CD6426C6094F9ABA74CC1181973B56D400C0D33074D6202DD03E7DD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.442{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.118{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:37.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC44E0DC13A6FBE2BA8814F1DDBFBD65,SHA256=3333B0EAFC33583DA25479BA155ADD0CB653B3C8FBEE621D819AC5318CCD39F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.745{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261FDF425B670BDA00316FC41B76A54E,SHA256=50925C743040DA66E935E11C221B23E676D7492728772C76C74094E512FDBC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F87A395283F2BB265A8C1F59819BA45,SHA256=7DE035D710A6CE49FB62B930693FDAE3F9729ECBA332BCC62E204780C8E51097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F9DD0C8BA1B1329A4222CFB00FF370,SHA256=1BA16F3FEC5703F77A493F904637A6055021AEBEFB9E562B9ED8EBE47C1625C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:38.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D213D411EAAAFC2214AA9642C04831A5,SHA256=9794D3119343D9A4F05C6F21729821EBD92F64A331278E58ED2B77AF3C9EB7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:38.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034DA90B56CDA69FDBBF4E7213A2F4B5,SHA256=2625E89B39BBD4D83A1D49C07E7AA8EFA5A78DEC2399BE83EFE4331BB6C734FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.575{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:34.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.216{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.068{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC66E38347D5D64CDE8B2CA81404393,SHA256=3B312A0C358745DACE2DB5AD9C4AA5EEFC9627462EC291A09E831FDBBB65A0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DC41C9C6165B3655236716EC51694A8,SHA256=92ED8C38B87B149579CE5A871472E1E6199DCE81694F8D63ACCEA28FA96FB19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.627{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A0F10AD524DA9579DACBAD9D156456,SHA256=775CBCB300772E2F90AEB5CD0FCCCCE9BE266ED056F886B7D21D62C3A20495BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:39.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFB54E60BEAC683DFAAF9AEEEB90C1,SHA256=475EB94E97ED41BD4B60C503CFB33F9A150F5AAA0C6D538505323BDDBB5A2B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.197{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A47400881E5DAC66BB62DBB39BFDE09B,SHA256=C41F477B722CABEF74D75471E35E0EAC4BD64C26F102B74C271E97B1CE7C12F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.328{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56517-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.858{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59284-false10.0.1.12-8000- 23542300x80000000000000001048452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:40.632{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6A0177D7F102ABB954D8662087CE86,SHA256=48A14217ECB8515A95B32759837D8C0E1C645D8590D240C796AA9F2F51A322A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:40.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9563CE4145D7EC235AA1D9C6538C5D8,SHA256=D41ABF98ED6D8C890500FC253EDB46EF367245C761AEA31071976FA864B8F963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.425{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:40.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17DB83CDB05A43636A1CB20F69F2EBC2,SHA256=04B9C7985E6E330AE22161FF9B5C28CABFA5BA8F7F72C25BEFAD0E2548BDE489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:41.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1B9C5D61EAE1989E566F91D82F195A,SHA256=07E0F84071C7A0C01881536881E0CCCC7CA7F5540BBCDE43197EB142237B2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:41.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3860D619870846C1E492982AE45B344A,SHA256=1826BFC6E5194D843A5416DB30710E3A8A20AE4BC6224AA35B594935CEFB5620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:42.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D520A5AE0046714388EE8DDEF4AA5F95,SHA256=E120FC8E2C24FDD1A899E5446E0DF13241BF1841131E480AA3003DA5FED464E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:42.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD7E4B460CC72EB9654BCBCB72D2758,SHA256=C7B74B5FCCE8B615F46957FDD0558F00D1625CFE83E8B6B3777251FDE1E86626,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:41.685{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644DE28F7DAD32DCFACBD919F6162A2,SHA256=D27C9E764398F9B3FB3CC398D53647548FDCF307F503C757F3BDA9B723937712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:43.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4276F14A00A33A90BAE4D6B5E4350C,SHA256=F803E4DDF8F0028C2071D8524436A4A263A8E8F900E9E80EE90CE2CC9D9A4E60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.908{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000977115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:39.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.001{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4156A1803766FD40E87E8D97F2DF4903,SHA256=536A2A2F728DA7DA04AF6D2C2D5168743F2A0A3D81D19B5976AD8A3F31A8FD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE52508C27469F6CB6AA20D4709C4CBF,SHA256=6FE5A0ADD3BB39B6A0A7273FEB4036C2D5568AB6B0B65F386F6727C252B04817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9472F52CDB2D22823A4CDFDC2AE7F71,SHA256=FE1F5F80A6EF267FAED569A15FC16559623594050CAB99D68E1B88BFB45BBDA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.577{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.029{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC66E38347D5D64CDE8B2CA81404393,SHA256=3B312A0C358745DACE2DB5AD9C4AA5EEFC9627462EC291A09E831FDBBB65A0F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.470{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.815{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.801{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.762{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1CEB15CA50DB396ED21D34A5FCAB30,SHA256=E2D7026B1430E09CB5519318734BCE113B661CBF19685B7EE0D19F44662DCB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:45.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73EF1809C51A0A014CA2F6A74EEE628,SHA256=E248C8A5CEDD7FB2CEE4730F3DAAF4FE742AFE467423C2AA6D1DB3C9A2B43A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.200{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11947A35E6C293B03A4795A96A094013,SHA256=A645C3CE9C46F1913AFCBAB85A95A5961749BE00D62F36E8DCEF6A5705B96EBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:41.754{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59285-false10.0.1.12-8000- 23542300x80000000000000001048490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DF06D283EAAE87FF5E0CB7FF8A7E77,SHA256=DF04F565A8B253F9DFACC415659C3BD1F9198DB36F9A918BF85C29D6020C2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9EEB7422066A2056D292CE428196AE,SHA256=D13378889114AC8F296B21E487358ACD8952A1C66D8E08D8902BA33FDED1C18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1E699687043E4E9E3255563B3385D1,SHA256=BCC79FBF212447760D8E584ECFFF30F45D5F211F9A6F73416339CD0CE471C948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.017{5EBD8912-88F1-6151-FC79-00000000FC01}60806040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C56FF47F2424354BA7BAE93312C4A4,SHA256=C6BEA2E89FD74A86408A0A47F456DCFDD093156731D0A63E81F94A4EE0310DE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:43.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39476-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:42.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:47.801{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:47.781{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0EE1091CA13DF4B9B0D87652656C44,SHA256=5782C352DDAC0F976C5B06EF9C0FC63EE322C505B49DD0A2392E539B70913DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:47.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD214C1E8E9F3A1886E8C9D712B5D3C,SHA256=CEBECDD9A4FC32964D5EE6BD14FA58012938A552C85B9724EAD0F8DFA1D055BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:48.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741CD439A6E290C4FA722D000F246B9A,SHA256=0340D3094242622FA4019A3286164C82E393A0BD0C1A6A76FB453D87C5660584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:48.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AB805B9275B8F28A4C435BCD8E0E5C,SHA256=3151D179EA4BCFAC0128D890FBD9E52F347E7F7C0D793147F7CCDE80CF33F2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:48.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA399ECF272E412C1D2BB62E4349EA90,SHA256=5AA077193F7E871AD0BE0FBF22ACD109E03CAA3E126471D3686512518190A816,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.824{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000977127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:45.945{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60879-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:49.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEFF770321D37DC2E700B570AD45736,SHA256=C299FC179B0CB194DF2B4BD4FDAB72254424FCCC3A4EEC68FE3C0F22E018899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:49.809{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C1682283C33C89097E6D5C12536BB9,SHA256=29C4DD77391D92ADC9BCD15A5ACC5540EBF61F7C5405DAB7885743C356BF8998,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.842{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53239-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.842{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53239-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:50.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22641DC6DCCF057A0E469BE86BA94D1A,SHA256=160516989D1A7E5F51DCF2DEF4B66D32AE3CF307E29EA87BCC3F21F478EFCEDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A31DC8C3655DA0DF74C97D7A91DE78,SHA256=7697CF1DAA6973EF727A49606B1F280B55C9FD5491769A06A415A75093E04B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:47.723{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59286-false10.0.1.12-8000- 23542300x8000000000000000977134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8145CB72347BCF6BA5A30E995455067C,SHA256=88B6385F01241256B5DEF3FDFBA5578256BA6B8DFC2051C0509DBBD899F8C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.455{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4300MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA9F7684EDD99ADA721AD31627D796C,SHA256=33D991C2A82009DBDDF48DC0E064636FBCE7F17E19BFBA9BD2B4011BB78F2B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:52.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BFA2B4E0CD0266F6E94BBE84CDD202,SHA256=5527D996EC2B117AA98744F12DB6CA7DC8F137E9A8188F20A1DBC1756214EB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.469{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E938F934052C2804C6AB3FE10543B,SHA256=D03755E5A71A5BF9A97D2ACEE86B12E184CD280D9766A93DBC270B8E3E38F343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:53.890{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA934115BE0508F7AD6C0E61DC55E28B,SHA256=343D61E448A2C61E1D964E08BFED7937CCC07433300BF8AC9CA0A5668CB04779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:50.925{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:50.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.766{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC31A7F3639AC21FA4A158E760F8497F,SHA256=45AE4D96CDC6C60EBF965EF94A84A4D52A2D08E2884CA9C2E526D6076E2042BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BB916373C0B4251E734B1E222FF460,SHA256=135531662F6B97BC053DA0109EAD038E9C5C2FDCAC212A2443BCFE89621EDF86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.293{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6B43FCE5360F2A5653724D8C121188,SHA256=89AFB87B9D41E8EFCDB93BC7AF06D6FFF42F1EADBA89F82D86DB3FAA34963BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:54.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD27985A752029721C117B51135B23B,SHA256=BB2236141F2709551D9A8CE71BD2691BAE895B8CAE79DF36B14666908AFA9FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.726{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.272{5EBD8912-88FA-6151-FD79-00000000FC01}37521032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.730{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81389242AA7F38B317DCD5727BD5593,SHA256=740A070D1720D9E140ED6C9A453C3D74C31BD8A4DB0EBAEC2F72375F91B7C70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A0DE72DEC3997BA255905E84869F057,SHA256=F31DEAB9A35A02930C5B8558AAA03D91FA89F15E9C66A361539782282EA41A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.041{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCD5D2B5846598932B16E040C15D162,SHA256=E40841D67B7DADA67F4F918FF6F4E7FC6CB45E21CDD2F78171A74C6019290F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:55.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0790CA47AA8C6D1EE018F69477FFD184,SHA256=D9D736803B221D651D15C35737101E8C4AA9C14966F64BAA04BEF63E0ED0888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:55.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6396CF77F0EC1955DE5834AFAD5C95C4,SHA256=6181BC05421BED09DB44385587E42C52BC3F1911E879BB4B087E3F1CD265E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81389242AA7F38B317DCD5727BD5593,SHA256=740A070D1720D9E140ED6C9A453C3D74C31BD8A4DB0EBAEC2F72375F91B7C70B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.593{5EBD8912-88FB-6151-FF79-00000000FC01}38763200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.426{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.025{5EBD8912-88FA-6151-FE79-00000000FC01}52166220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.992{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A05C52E4281E57C8285DFCA6563CD4,SHA256=1B3DABFBF4D2A454C313EF16B0AF9AF06332632D3213B7C57B4B92A9AA31EFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:56.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC03A54FC0E567CC2EC6ECAE63AF94B3,SHA256=DC80571EA90A7D50E0325ECF1C0AA425A3296AF0489FD100BB0D80DE3023257A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.093{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.089{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.073{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.020{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64685-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:57.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5802EA2B9A9688875D5EC599DA82D3E,SHA256=F26714FB9554BC80123F15DCB123B1744A5D036F6C141FC83BFCBC77CABA4742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.057{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64244-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.090{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDC5A8F5DAD60D16DE022F98EE2D94DF,SHA256=41C3E4E6D13820BD8BC2139CD23168A72E750CC453D91DA5E514C8A6983CF8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59287-false10.0.1.12-8000- 23542300x8000000000000000977149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:58.532{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B776DAA1DB654990A0B59DA7C821FD,SHA256=28A003604B9BE06622B70805B0EC79AED341FC8FCA12C689E4BE86F486FD91D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:58.108{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001048547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:58.055{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EB90F302F792B68A1F3EC4D6FCA824,SHA256=9010ED5434C20FFFC1E1DCCD92BBE5A59881F1C10FA9A980D1676566FF1590C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:59.547{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB66B5AD44620B5D30E03321D633CE32,SHA256=F36D50638C3C4806360B105850EA78F255175432CE7123FE41358C68D70D5C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.803{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53244-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.803{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53244-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.690{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53243-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001048554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.690{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53243-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001048553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.681{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53242-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001048552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.681{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53242-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001048551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:59.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2441E336E764FC4C04570FC122B519C9,SHA256=58D28464EAB7721B530A42AEA6FC8BEEC3C5772FB6E91FF045B5FFC4380812EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:59.010{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0886C92C9CE3104FCD7CFEBBD48A81C6,SHA256=429D2F8A74E07E7E078FB70D0C8B2F48E4D2BC2B98F69FED6230A5DC278E27E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:00.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F31A6D0D97E1B83A57701EA238FB4E7,SHA256=E5FCB23BBF1939335814B4130C4CFFB3090C40EE5081710911B4592DB9AFCE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:00.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59514BF38FA9310E22647756146FC50B,SHA256=F98446777B9E70ED05950D1B2EFDA185D2B72E8EAB93271EC8CF04C6236D5E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:56.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:01.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465506350C77862B1705011B17AAB219,SHA256=694A0E65BE67329D44AC4F5E284460CBBEE9806A4AAA5603F71CC13FA2DFA4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:01.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C06B9A1DD33C630661527D42487735A,SHA256=B3C32C561BDFDC0C55BF2DFC3F564C07CEC7A247BC02CF407A6464F0BD48AE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CB009A79ECF3FE0181385E0205693,SHA256=00960D70F23C3FB7DBE19D49FFFBBBC3976B0155DA6DE5F2CB85F85078B304D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:02.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4130556EBA0158013F909BE61F1BA7,SHA256=A885B68BC5A236EB441FDEEAAE5ED0406F0CF04FCBEB8CC774C9DB305244E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC865D85033AD9D67FF269EC16539E82,SHA256=154EB6410CC3DD3798E4E622B16EA79A0882602A73F7C2287E817C6DB70D5F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=956B12BB5D4CF547110ADE107BFFD78A,SHA256=38607AC75B0CFC713C105A7CC7134329105015F21341304EF3A1307FEE45FE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:03.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FC69FF73BF43CA2BEFD08B6156B1E3,SHA256=15A1BA3C899A3A1A85CE47F00DE65D4DE61476299B74A689EF1B1B53B053EC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:03.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B50A1DBA3094BFFE48BBA0B0C68D92,SHA256=BD33D466FF0F5823FD31419D8F4D8F957EAE499FF47C87A3C96839FE9D866DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:00.039{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:59.708{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59288-false10.0.1.12-8000- 23542300x8000000000000000977162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7C0A4EB93C67797A4F1C33929AC9D0,SHA256=9EFEEA199082DCF43BE64A7DAEDFB9D93AB3C0C6B2624F6DA735A857830AE47B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:02.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:04.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FBB8987F7E9DA1FB18FFF319EC5899,SHA256=AA3C30B66E4E859CA4484FB9CD418BDC13FCB8B204CF6A5DA2660E585D3A2E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC865D85033AD9D67FF269EC16539E82,SHA256=154EB6410CC3DD3798E4E622B16EA79A0882602A73F7C2287E817C6DB70D5F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:01.453{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:05.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F37E430243A3435D621B0C27C9E5BD,SHA256=37BD3445099E30EB2A7BB3DFF31E5AE41DED31E0E145213153AE341598B473DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:05.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F7B7EEB6BF6980EBAB441BBCE411D8,SHA256=8140E0D1B06C0BF6B4701A3F92761658DF9036C0C78F7D2849B5B5E3633B0686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FBF061C0A7A2BF86216EADDB43E3E3,SHA256=CC7E91711C3B5B767F297CBBB58A181985A5EA6CFF909BC80FD9D716D3C681B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0FB31F3575E2D497F8DBB4C5CFE1F3,SHA256=F6BA44B86E04E2C6C56519A4AB6D55EE975ADCA0CB38A80E76AF00B5EFB82130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384641D93BCC5C25F036C4555AFBFB0D,SHA256=B63E2670778CEE0EFC3A585C6BCEA0A9F2BC496A189DA35B1B0E6B48BA7D3DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12657D365DDDEB871C2FA8D8C64EAAE8,SHA256=60D8081F4A8D577684B42CB22182C8A070D158898838226667266434463C798D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.239{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58286A3C64015A7DD8469B8632A9B5A,SHA256=4954FCB5782CECC3C887D2667A1E2525E62080C534ED6611745C2D6D3B22D1F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.059{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:07.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812E9180160E0E0F6150616E1477292A,SHA256=C77CF7D9BC0ADD714C2D40D60FCF7FBA633241409EBA8B8CF1C5B8BAFDF2D9AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:04.681{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:07.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8081949DB8049F8345E1A1CFB0A6F83A,SHA256=A2ED5AEC0A0E9B775254F34B4BAE1D34F274E5064AB25F7C61A3B23A060074BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59289-false10.0.1.12-8000- 23542300x8000000000000000977169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:08.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6EFCB1454D441748D640D1D8C2E3E5,SHA256=1EC161CD6C5757D5C920B8801F9F602C5D24A240543174869217F4C8ACB1FF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:08.917{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:08.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F62768872D9A5955CB8C151B7CCE38,SHA256=2EAAC1D2A4BE9B23BA3ADC0A1199690201446ECAA66987985E7CF343F155C255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:09.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CD2F0ED29899B410E92998899CB43A,SHA256=413D1F902AF043FE8C672E63C6FE60BB8CAC18CAC99CF57FCD9E8906DD5BCABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:09.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384641D93BCC5C25F036C4555AFBFB0D,SHA256=B63E2670778CEE0EFC3A585C6BCEA0A9F2BC496A189DA35B1B0E6B48BA7D3DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:07.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:09.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356A135E29070E7FA0475D61AD8971E5,SHA256=D89EDCA3A8D2BF645A7B1896C1E4D4C49E4C623F90B0FF36ADF352CDF45E0247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:10.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57989828D342AF6B8AD699D637DF0AD0,SHA256=EA8229505B3E1E4FCE41E1B11D3800BCB80750C73C21E5223997B187C48F4055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:10.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D4A72CFEF23CF9ECA2B10C9D952D02,SHA256=67006CFC144F33D0A39860790A689C5714EF2C23EE8C7D3D4FB5217D2F2F1C53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B65AC6643B2C40FF37479C4C617B51D,SHA256=A54022FA50F4BF57630023196DC2F8B44ED3BD2F4352CA2BF311F0EDF584AB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E283B9618E5EEBCF5E02EAF2C784F25D,SHA256=CD353C59A2DA29FF533C2CE23EF45FBC4F52E9D60B387A9A75C08770903C254D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:11.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C30EE8CCC0EFBBDB6CC2142276F6A17,SHA256=B59913333092F865183B36651D74F564239EB58DC710ECBD8AF284A1783A4BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:11.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A3B10C10CA4E3F3C4738F61E0A5777,SHA256=A5B8D6166F59B6FFF5CCABFD5DAEFF51EB93DF411673FB9A1075553990D99683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A08AC078658835B83A1D8A83289B102,SHA256=8139273D9912727326E66259F661432B55FEF17BF2D2AD396CB5B5B6BD8D18DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:10.096{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:12.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C113412D07D7E66333F297F403627DC,SHA256=4C396A43EF9CD3DE97E05985100DF702D7C5C685184A32CD83ABB5A4FD4B6800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:13.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0380B5D4C3AE561E83359C71B10509A2,SHA256=672A1D85E6B6D5C7CB4B728B741232567CB374D287A2D9B9931FD35F6F1ED2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.395{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A7C2E3EA79483121C89BA0E259C3B2,SHA256=E945E6C9920C2AEC669D197B9FCAB348543CBAAB389CFF2F3C99B27C36B898A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:10.772{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59290-false10.0.1.12-8000- 23542300x8000000000000000977176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:13.518{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:14.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3018390F09E03E1648A2769C024AC023,SHA256=CC5F43385D82CB392E097D5A14512A9111783BC7F7AF0E618C81609368D96554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:14.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE9323272EB3603602F321A3F04877C,SHA256=4D21078CA664105EC15A181132CB0DF19CD93611F5ECFF4C08C00CF1A554365D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.799{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21517-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:15.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BDAD7E635953FCFDA18200A42E40F2,SHA256=A6068CE45B2FB850FD79E4F524B71082623954411B423F7C8EDB8B2F12D98AC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A707F8473811291BAD279860FCB717,SHA256=24740CE69F6FBBD768D95B4ADC76FE884FA5D5D24C565D4E6A78DDD1E8C8A8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.253{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.148{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59291-false10.0.1.12-8089- 23542300x8000000000000000977181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:15.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1DDBF9278CC481ED4BFFAD07B4A884D,SHA256=B4FC82078BD6A1201CF28B1443BCC3AD7243EF6CF7BD087C47C39545DB8E7CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1CC0979DF1C5B7CC8CE8DAE99C5D7B,SHA256=FD989293D297933D9C6ADB9A78307D9A2AC2650835CAA27EFF6C4AEB8E54BA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52543EFAB3F128763B47C535F9C7EE29,SHA256=5B13CE7B07628324F157611726AFE683473F1DADBAC635D6226DAFA80BC5CF67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.897{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:16.460{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AFE9EE06CB798A2EBFC6D71C884D7,SHA256=FC96DB8C806F2FBEFB920E5C95D0B51B25F466EAD33E03DAA7C1C0608D174F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:16.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39ADF010DD936F0EBC1ADCAE2B8A2780,SHA256=8CB7EEE376E52EEA17D986171B57526850C9D9F4E69D9A33B6AEA51AB331EA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:17.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485785E054DD5ED2AA974A5F0B378F4,SHA256=1486F1A21EA44B754D3C000BD04AB42E476BF08E0593EAE485066829DE69E593,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.983{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.982{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D5CF9D16EC04B5816F39ABC9CE9475,SHA256=FAC9FF6D9844132C6DCDA39491D9DE5501CACD2557D6AA3B4C6AAF59ADE13202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.519{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C24C0397FF785C01712260B968B98C9,SHA256=2A6CD30DBA50D70C17441CE40C4556F5885115DAF8D58F9BE1CC4492DEBE994B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:18.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDB3D7E998159A427CBD502CD05851C,SHA256=880147EBAF9510275C1C4126C8FDEDB62FE07E04B1D68B4C4F39C735DF4C9045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:18.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0CF3604868A0E5BA5C143DA3814DC7,SHA256=0B7A0BB75F236070B2784B6985D1734AEE862825F9CC545756A43437D6C2A963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.800{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.710{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59292-false10.0.1.12-8000- 354300x8000000000000000977191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:19.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7243EEA2085C64E6725CDAD31A3D9,SHA256=4557675AD7DB240DA0F7BD21381AA456E0159428591384EF6929A3107F3EAE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.993{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4300MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.520{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BCE3B49D29CD4600DB71F5B8D422E4,SHA256=113BDD13F45AAA7BA8DF62A67AC83D858FBF09DAF33324B729A2015427D19DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:19.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458099BFC791B830CC2C60D7CF1BEE7C,SHA256=ACA7C34817FE59080C4BCB850F5EBE5D7A404850B1E9A647C64A225725C82FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB617DDF56C10238C7594AEAD2D6F61,SHA256=8DFCA98652DFC9085BF9DEF0C092C7601E9F833FB9FB2815DB00BC98297D2BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:20.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87B7F4565E3DD83F3B4691E1C445F79,SHA256=3CBEE6887B92592EC8DDF8DB541D68814915712CCE624A5C2E8CAC6E1185705D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.993{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8459DFAB5773AA4C39DCF04D316BA611,SHA256=05C36974FE14B0544184C134FF70CAA69973DF9E4620DBE9169E02DCF1068B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68911553140CDA41E0B8AACCD0FFC4B3,SHA256=D8E930DBFE9AA7D37C399425E6DD58131F8AF475EAA9CF87D002D993C199F051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3AD240B0A3A36BA86E7FF40A92DB14,SHA256=22E437F9971AA80A802322502829F1FA2006A02B82FCD75CE82E6580466A6AF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:21.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521DBF0F4CD3F4B52508D80BAB534CEC,SHA256=51CE333AD892B317900B974466BBA4B11EA521BE72C8D678FB9C723A6F7CFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:22.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1047F712F2302FFB49E180616DBEDE,SHA256=ACF259763ABD4508F473FAFFEDA68E94F2CC8105BEB7BF33284AE3AADCD6D0CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.825{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:22.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D31D85A5567CC6AE6C59155AA540A2,SHA256=0DB4284DDF93FF825DEF0C8338E082CEA034D67C3BA332FE6A7B1FDBC51B615A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:23.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5464987DAA2E16B69D5675D63C722A6E,SHA256=B343145819FC94F2804896B2C474DD114C19C00EBFA466CBECA7F3AC1CABE932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F3F83FF475E7FACF7F5BF8D0DA2503,SHA256=D3CA90CD3E643880F1A244C3E1BE44730D6B458341D44B7E589A482FE9519B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF7348377ACFB3DC916B2FEA3212DC99,SHA256=E46C3379D9CC56B225DD0923126A498797925745CCA09E6D2AA7E662B4D7D1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:24.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5010C530A8369C807D49C3A448129C,SHA256=01C835928FD2E85CE60CCA594FDFDFEF0D88F45E3E07F5A934A877031EF6AE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.054{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:24.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586FB23872AC326B67C3583D844DD997,SHA256=FB8BE799E86DA55EF2A246112919B3A41D3B1FE3C19E0BBBE38BEFA32BC3787F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:24.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDE1AC460B3C5D7A782FAF5190B62A9,SHA256=71B681B2BD50028396BF0FF6299620B72795836BF177926EC3159EF7CB0AB8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:24.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C02116D694F10EBF00CD4EFB1F0DB06,SHA256=1E570C6CB55A552AC935E9D32772D26F27DDBA539C591296435649A47BE7B388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.911{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.911{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.912{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF1EE7CA9E815C7E5A5447D146C0404,SHA256=BC5F23A26A5FEAF7D3DCB4981ECBA9936B274D34346807884ABC4130FC8CD987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:25.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666E4F634DFBA09299401E037B306282,SHA256=D479724C83C6F9C521B5E671F50AA10EFBE960731EE267F43671D53950B43BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.551{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C5FAB1F65133BA9BE89CB5C1430B1D,SHA256=BCDCE9C5C5A14AD6721ECCD57C545C229435C7E11AA6B7BFA82F6C8395BBDB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.833{69CF5F33-891A-6151-9079-00000000FD01}3244856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:26.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF16D28C0D98A4B29D8C6E1B961566E,SHA256=B6C4CE0635914A2D5C3D665830D02955EDDE067C9F12FD17B8895306A34231C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.599{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF264A6CD48F0AB1B1DAEC8377DD5E3,SHA256=E8E9D8E101BC129533940CFBDE740F47767B3B119CA57D02986CDCA27A2AB11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.130{69CF5F33-8919-6151-8F79-00000000FD01}33242396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:22.712{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59293-false10.0.1.12-8000- 10341000x8000000000000000977264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.973{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.974{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE511AF5C8F90190A27DEC9282C8443,SHA256=C1144332915BF99CB62C704B9FA873BC6D1B917EB67293E5ED445E37EF760761,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:25.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:27.730{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD842E79B9E9C32BDCAD8B91BA6FCE4C,SHA256=F24686D90AB134F6F074DD9E28ED495D35C3C08102763F9E59DF54A7FFAD4934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359FE101D483687D0D635ADEDA2E7938,SHA256=44FCB4A46F2DB1C2C3927AD9539D3122BD48082A74158E92165B97B70F37B101,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.287{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:23.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:28.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BFB948E4B798A8AD923D9980437216,SHA256=30CCFC727C2A7985641DA4C9AE2200D7EB3F6D79EBE1EB74E2AD272AA4C8FF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.490{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000977265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.255{69CF5F33-891B-6151-9279-00000000FD01}35403028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DBC85257DC1A82F8D81854C4E15B17,SHA256=060F2109F37974A8985A7AA092A8487877C53E3A8179E35FA308A07EA9A68F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:29.843{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5FD5FDAF8159922193809AC892A44D,SHA256=E8AB7447999F6300D8E6655953F4C2014B91A25CF40EE39FA88A13E66D080B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:28.093{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000977295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.380{69CF5F33-891D-6151-9479-00000000FD01}2504932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D166E75EE1EE6FA5C85E7064FF17EB8F,SHA256=3A29466C48330BFD346743DF8543BE9AA2F8EB7246C77F22768135F1BDDB6A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9E5551597941C671002D451815A140,SHA256=1B5558CC0416CFF8EC6AAB3902AD66C4DC61493A67AD04ECD4D2DB5C3EB5FA13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.177{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:29.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09218A104B05EF6600CA014417955448,SHA256=46929B8B85231E015E750E38F68A635593E26980C5B0B0B2B7DDD4916356FC09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.909{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.906{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.906{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02E223F8A5E6BE7842343B41576029B,SHA256=8CE045D91191E47DC8F49173777FF4B75C98A470870E0633DB53B08FB6450BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59294-false10.0.1.12-8000- 23542300x8000000000000000977297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0783066150FD6EF99C4EBF9A783218C,SHA256=C426F6EC26A252174F69C7422052741FA938B803A925C4DC188FE427B93D9047,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-5175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:31.598{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB35E23DB7DC4B135C464980E33FA5BC,SHA256=3D1F107A47E46101A644DDB370A3E4E8DBFD1FE7E5087E30CFD563C20BA03A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:31.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E960D4DB91EB522F72D481B8803AC161,SHA256=8C2C0B4393666C5914A52FD50DA142FFC5A91FEA7D95E953BCAA48FCDAD46A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:32.489{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7F9F4BCB65B66F68B331BE8E48005B8,SHA256=6C1C1FA0E537AC3AFD019C83B5E7CC29A7B7A5AA7ABB1167FF338E258BDC143F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:32.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014E5FF76CADBA4DC81AA71DE6C7E4A,SHA256=DF1304377B29F39E37F2FE71EA0D31915A3174BCEE560FD12EEDC1EF3AF15D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.854{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:32.310{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A831C1B71C3B9D0FD3932C37BA5A5D,SHA256=88511F7269FDA6C836BD3FDBBB9E7EA46464D6F911DCE2A5020D27133C220516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95DD43439A7706C676D1F020DF71B8C,SHA256=5CF10F802EC0944D00F637181054E96AF817CEA61A951CE96858977B3CA71605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7566788A21305BE03536D3274E533FFF,SHA256=33256A5F220EBD5C35CC87E0F132C5787C08794F25CD4C118A09125FE3F6A830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:33.447{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:33.331{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9CBBB0350B00E731DCBA978FD563E2,SHA256=3B0B3014929F811222FB19E8AD0DD9C76CBD26A9E17B2D471297DB83C6A2331C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-50270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:34.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE35B7018BE66E6D4C571CF37459FC6F,SHA256=17B1C601BD87F1BF65C328A86C17161C24FE970E67BDC4272E85B8BB877D0151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:34.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9704B6CAEC529F64369329DC5123159,SHA256=DD09FCCB5757699DCB6D38A40F1E59A60F1A34E412E14440F0A4A0F034B18079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.781{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E189379F47468F06FA2ED3AECBE23A5,SHA256=EB2CC815AE1CBA9404B7684471D4C3046F158F8D6BF483F22BBA6308DE06B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05185F99F77ECD927F17549DAAA20A2D,SHA256=8C2E58529537233F2CA24C69F95D9D8DF7D32F740A3A0A378D56B409E6B07735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B96636198837DAEDF776602541D373E,SHA256=9E7D1129567ED613120F4A69B6D33A803B8B2C955925983B74330FA358458622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9631E57657E826C308DE321A3D127FF5,SHA256=421029DBB805FD574CE6D4C76C2484415EABD9E15EF60406E6D3A2C917A0861B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82B4726DDDAB12E5BBE73725BD584FA2,SHA256=ACC80B671E6888A5EACBDF5BAA96799B9B65297C850DB54345D36E81E04FF8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:36.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B4FCDC0A2067E5E00643F8F31E33D8,SHA256=3AFF5556AD6A1EB49EC5D35A4CC4279300B398CC2CE0A27E0B115F072C727E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.462{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6889A1BAF62DE1E98B4FC2D28C639D,SHA256=1D14A1A5F0BABF91D754116E184DC6D562DDB6DCF79DDB45963F76C9DED82369,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:34.021{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C8F5F53A5FEC9AC2B3028A6D0CE507,SHA256=908AFAD068B20B63C7995D83891609D8A41F16379D39C0B3DE3BF2EC72A93DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:37.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CD31778A26A889DBED38E89CD228E7,SHA256=0B39C380FD6862DF8E23DDBCC6E85F964E9EF08B755ADFCB7A6B5A6144835BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.740{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.759{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59295-false10.0.1.12-8000- 23542300x8000000000000000977332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA32BE9019D3CCE2A76E9E414A32587,SHA256=B89367DB0C89923DD10003C8981E8A95CDB8ACD4D7C6AFF2539623FF08E6C6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:38.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3263447E1A012BE730B4F96999E628,SHA256=43C9C772E605FF59332C9F817C8DC04948C7C126EEDCD63353B3237BE50528AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A2CA2759E9FBDA5B52D314678097DE9,SHA256=C18C7BD8AA1042958066EDECC53652AE97164174E6A202F3B2C6F1EBB9F836FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.611{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C534E44B60D90F22ABD64E10144C4EB7,SHA256=12D33345599A760DA9CB41921C5C9B5B70B4C949B73228BAF87BDC3D9CBAFF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.208{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CFA18C8B19D599E81C817620C24FCA82,SHA256=4C30E9A435366C2BD1E6A0143068F3012277F96ABAE77CBFC4A58D7FAC601A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.138{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:40.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92C28201053B00B81BCE453AF450EBA,SHA256=190FBDC47B1ACBBDD9DA750D86D40B954970D8C2B79898AA908E176618D37DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:40.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC9A63914801C33D9A9AEA43AA5BABA,SHA256=7FDD4815C259C997633FB3F5BA224B5C9E0112682CAE0D787FC1BFEE7D48AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:41.442{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A13DDB07C9AEFC2E6435C3AE325B7,SHA256=C691B581A647897C0B5CA0E6CEECFD45FFF9676AD4F5309CD4BBBAE672E094C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.899{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59296-false10.0.1.12-8000- 354300x8000000000000000977336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:41.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9F2AC6124C9F1318A50897EAA44EA1,SHA256=0CF16F34CC72888D55D5E4C810BA0260F1BE4118A864822B57165F6EDCBB64F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.503{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4C5AF77334F3CB001F5BF93B520201,SHA256=209D64246439FBC0F7B55FD24F2231F8F6B6222AD9DE268993B0CE3A36D515A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05185F99F77ECD927F17549DAAA20A2D,SHA256=8C2E58529537233F2CA24C69F95D9D8DF7D32F740A3A0A378D56B409E6B07735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.457{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99E026665F2D4C44772DE0C33D3312,SHA256=437D3CE4E118B10B841F06FC7CA0FC965AC3A81F012F9398822130400EB183FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD59859B107A9976FACD52330478C04,SHA256=38D89D09E564DF417A2990410794340E82732363D9CBA541F3AD1CD4E531BE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E389D53E7BCABB36E1EA7387348D3135,SHA256=79B85542E5BB316693D17ED82313D4F73471D56AC7412ECE0ECDF4E29CC081D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:43.472{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C55387C013F9BEEAACBA9654A586A6,SHA256=1D4B3104DAFA7144D3DA4984BA77ABD68E5B379B503E7433334A7D6DB8C96CC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:40.385{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:43.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05056AB1E65A8C6D43EF2E787360A22B,SHA256=2152A503E6EBC413CF018A14E2A9CE87E27BBC3E55FF1C03FA961FB7FDF69D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:41.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.574{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88903E20E31287769A52E7FC894D457,SHA256=A2C3316F53D6FF25BFC264DA90EAE23FA419DFB1D0501296F1687B654A303FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:44.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E04ACE3EEB1CA7DDCEF8031929C80DE,SHA256=AE8F2A13B1806516096F7826F1ACD78C1357E2413A0EBA9F157C728D3E890894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.956{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.640{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4C5AF77334F3CB001F5BF93B520201,SHA256=209D64246439FBC0F7B55FD24F2231F8F6B6222AD9DE268993B0CE3A36D515A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.572{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3832ECB8B4F8AC69C40625262032A6B,SHA256=9828C01660F81EDE1E8D70E8BE5715436761C9155F31AA79BA8E54D6DCEE8647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC5399871B2EF635F6164907ADCABDD,SHA256=DCD13B4CA2E2909964485D1569C5BE1C41D8FE69DCFD72B09833733E087588FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.800{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30495-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD83EA6B1CB43FD4D8F61778B42D88D,SHA256=2625E8A9E7127D6EEDC3834893E189AA83DFBC933689327777E9680FE38079C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.441{5EBD8912-892D-6151-027A-00000000FC01}71004396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.258{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.839{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF9A6F54A31C6B1540DF883A18F207F,SHA256=297700EDC8D811704D22C0F4CF460E81EFABC5EDDE3507ED3BFDEEFE8537E239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:46.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEDA415F805C79F0505CAF3EC25635E,SHA256=86CC3C42F68A318850F2FC892A7DD146C34E97B731C7B221EC9E90601B1B613B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:47.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D1662B5552074811679F40A035F053,SHA256=75B4F50871B572D18B1D9794EBAE3FEC678EC08884A5D3013994BCE97358709E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:44.886{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59297-false10.0.1.12-8000- 23542300x8000000000000000977347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:47.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73739EFA243B79AD62DB4A06CCB1149A,SHA256=1238810A1AFE82675B7FC404F7EE899E06633399611DA10A5C64CAA2CCF3A1E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.577{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.103.226.77-60338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:47.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C2713954026AF351EFBA70BA373FD3,SHA256=5B25CA41D1F95E23B33B648B60F0C4E41C8F7DE51E113E188321430C7B534F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:48.622{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE90C9BFA349EC14BC911EEDCF3924A9,SHA256=4A645E073367E44F2F4501694520494708CF2C511B7A768FAE65B4D2FA951D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.802{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41807-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:48.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B731A5DF4B39DB75F796C4AAECA4996,SHA256=9557E706EFE532B568D71C24AF74F9A23B2268FB8B7B5D1C57CCBABB15BC97BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B7B7EEB20F9DDF1D502AAAF4F16C15,SHA256=082190684B001B44C30AB45AB64C12F0855CFF3B5BDEE843DFEE3D74AA198052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.624{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9821A5D5254EE2A7594A4A8BD51C03,SHA256=37C7F5F9629F030B7D7DA9441E4C96CB2A96D7ABD0F86153301C6C8340CE7E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:49.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82E6E76F0D694AA3DD35769114BBF74,SHA256=5AEFE47827E5BE77058695D98F543BEF1DAA806DB77C8BE8F21A82BAD6570639,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.861{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:50.670{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC7E4DA038C1F79B1089FB9B636D6AC,SHA256=086A9053D55D3A288C06073B70884D36196B1784D1B5F3EEFBE755492AB09CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8345AD6F9FD23B2D95C34029915A2AC,SHA256=733BE51091D6D24759AA5CC8AB09BDF9D346A62D4988C82C07C6F5908F110984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F35BB9A2249EF7C2D9D30728F60782C8,SHA256=473D850DCA1103F253568DF734CD53F91C446521933DD5DEB1B93BFFD1787BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D358D8277359C7D8739BDC23169F70D,SHA256=66CAD8B20FEB919C93B30B43ADD730FCE4994D24B437EFB91E5DE56C96D666A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:48.703{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:51.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6381182EDB9765FBFF08E5FD6B0107B,SHA256=49228599C9AEFD4C5AD6E4144F8CE830C7EBDE0ED7F3387926FEB6960EE247BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:51.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A398DC174EF52A89907F3CB85D741A,SHA256=EDA9FC2C7DE7C587888926EB361A8D890B831C74D8A322B2C0F0B0E58E86FE2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.077{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:52.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1897879A2B7519F020AF2602065A34A8,SHA256=DD653EBAC9203A5375D5F9CB095BC5AF728A83182F706C7A9FD344F5A841908D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:52.996{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4301MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:52.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414C1739DC95F5A5F56958D3D797A9D,SHA256=BE6AA90D7365A6E5434A9D560801C2F1C95EF2FDCF78224E07698667C078588E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:53.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AF1D843D42188E5A9E858C034BDFA7,SHA256=CD9E69AD8ED37902BBCA1731C389ABD105373368AE6DAA2DD98144F2AC39C625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:53.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8345AD6F9FD23B2D95C34029915A2AC,SHA256=733BE51091D6D24759AA5CC8AB09BDF9D346A62D4988C82C07C6F5908F110984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CB1BA7BAC82043F3CCDF6F72E04BE5,SHA256=D02906DCEB91321026EB9CB05DD01CA78C26574D8AA5E14A8796DC09BDFD8DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CD16E76FB6B1FB8C4718E61AE765FA,SHA256=A24868433D8276A43AAAC9F1D787D968641FDC542E88636AC93EE35EAA090418,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.935{5EBD8912-8936-6151-057A-00000000FC01}67766480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.736{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:52.743{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.205{5EBD8912-8936-6151-047A-00000000FC01}52804448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.036{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:54.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC23C567D469A9E8D8AED03E0864593,SHA256=3AAEE98B0EB5A47584AE3B36F33C92D9C632A280628B752F02E8053F8E849F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.903{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59298-false10.0.1.12-8000- 354300x8000000000000000977360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.571{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:54.005{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA860D7951277F617180725DDEF472,SHA256=8FDD3D1E60F0EBCDF8C47AA65C98778B169301B971E7CDB96A5B061AA950226C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.423{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=457E86DE991EC7C30DB3EA7115BFE242,SHA256=304AB40067280690764419E546A4D022F1B80B31849042970159FB93093BAA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E22AD9B3CDFE289165E77D4C82E5296,SHA256=D8916D61C0257E73B829355712EEF292290D33305B0347BD1F983B5D8DA3A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=457E86DE991EC7C30DB3EA7115BFE242,SHA256=304AB40067280690764419E546A4D022F1B80B31849042970159FB93093BAA5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.319{5EBD8912-8938-6151-077A-00000000FC01}7565192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.098{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6102B50C9CAEF05962DF7513875C31,SHA256=237D27B2C8DD089673CA7A03FCA171AA3DC19B07CD2E32D40E32C353CD4ADB98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.723{69CF5F33-7F27-614D-0B00-00000000FD01}6243320C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000977366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A3AB9E1A7999711031106E79B28E7E,SHA256=38E6E843AC677CB7B351997153D8F0566DADC2EBC67BA77E8B96F25ADF1C455F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273DC99CC77F7D9F277479C705158DC0,SHA256=11E80794665F09ADB8CF936BBDAA109651567BA862CC06E61F8EC73DAA5C7205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:57.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0148BC1C59307D4F1247A2B0D82A0E67,SHA256=8299D444DCDF6356D186236F627FFBFE84B329FC8000D5ACB9CC50C92EDDEF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:57.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ADAEA4B199C1F22850D8AE31DCF9E79,SHA256=0FE7FA4B42A41A232CD147648227A01CDAFFBFF8C499B2C414891DE31A3CF8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:57.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DAC844CBDB073B5C06F53CD3EDA8E6,SHA256=76E67560F086851BFD706E14B0BD353F3AB748061B562DFA85AF56587216C411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.525{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.372{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59299-false10.0.1.14-445microsoft-ds 23542300x8000000000000000977370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:58.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACD60066FA387D81203CBD3AC172549,SHA256=71DE857188F50C3AEB7299AA8E5256872B0367B586D0512F4F0D1B4AD4B8841C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:58.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA184E64628267BDD893542533B59331,SHA256=42055E182B726B4B4ACC7671B19325988700ED06BE7B47748677A8F3F9C3B6E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.964{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.773{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.435{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59299-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F82422B249B3D928AEC2CD8B9AA326,SHA256=E379D975C810F07A311892D71B6113DCEEAADF4950671B4C16F9C4ABD21922BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.680{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59300-false10.0.1.12-8000- 354300x8000000000000000977375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:59.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A11A28F7148E48ADC84C330185FDF3C,SHA256=9EA5F1E0BEDF75D88A7A48298DC4735FB82F9819702E00AF92DA2438903C5CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:59.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E0FB9D06474CFD9BF1E14ACC1347A,SHA256=98343781C5C75E0CBA30F355B4DF8ADADCB4BBAF41F5F9CB75426A1518BC95B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.771{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.701{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56598-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:00.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C33EE2A935C53D7D75E1FFE694DD8DD,SHA256=128F827DCCD3CD2285FA351E7ABCDB66DCBC0F0E15A3F3454FBE2FC3F0ED9CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:00.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC47C29CD4AABF348C917202DCB40FF,SHA256=08498D2D36856D59F9D799A445AB99915ED19950BAB6A38056BA63B42B676324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:00.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D809B1BFE6DCD6D4B8E5B51C808A0D,SHA256=F93668C9BA05DE83D0E7F1074AB7D232FC94D91804B718B4FD9245595C7939DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00673DA5DA4FEFAD1CF409E3A90ED3A0,SHA256=D7F8596E1E5A73334A0D507676C926967F4B56A5165D85786189E6CDB501679C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:01.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC4A49DD28A09326C2852ED90525670,SHA256=2D359B66865B2AF5CE95F8209CE97B02F536837F99EBD2778010B74FF097C183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.145{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141720158F871893C33AD13BFECBDF30,SHA256=415F649523608778055C3A592BE06ED7386212F66A4CE63BA197D519B655F3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:02.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FA2024D845EAFFB8C8B2E3A8E5D42A,SHA256=BBADAFC9BCB13FF02469C17197E9EFEA77F293FCF35F9284331AF8B16EC4F721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.270{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14633C187102A6DE843D498515EB2FE,SHA256=33EFC1B979EC8F1E2DD91D35350F4964BB372A413816F55FED7701F374E94E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA505CAE85BA84527A84676B321EFB1,SHA256=FF8B4AFEF32780D30FBD5B37AE9102447303B2A3D5ACF7118157B1D115C73A6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:00.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12293-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4534BFE4F3F3F00D9D037CF07A2769,SHA256=01382527CF8E8A7464BBB88D9A39AAFA8F2CBB60706797D523137E36A1AE78BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4D36ECFC14C3975526CEEDD6C4D806,SHA256=64CEB2AD5682A77D16E49FDB067F8B82F9D94C680C7E62F3287124926FC465B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59301-false10.0.1.12-8000- 23542300x8000000000000000977384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:04.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D1AD4E0D3216435BFD2907A3E82812,SHA256=EFB0743B46BD42F2F58A8A4A6E3B6032DA35EDBE163B77980D855495A90C9A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:04.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591C357B8AC600D9039E6481681702E7,SHA256=13762CFFDF11CF651B12E940D3EEA997B5ECCD026A28283EB9D58766AFE73CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.725{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EEED0E155D960E3565CF9AF78A3068E,SHA256=08A081D21D740967E62B9A047881EE59A614E55D0D05B92BA1F30E30F80FA56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1D23B14262FA71C8E76B587C286874,SHA256=D318599D1CAEB77DC71B033B2918BB1EB8FA05482A0511DA4F972C50034F1ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.623{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.724{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.324{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFF3E9DE87D45494C107F26D5E8C6C4,SHA256=85A17BBBB5381DCAA0E8D5E76B5A3DF3D8F0E52DCEBF2AD851985783D271511E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=783A0B2D00394AE2BE35A0B632FE1207,SHA256=4513C83339234BF41A7F74B0A44AB22CDCCBD426D208B731D4E9691966900F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:06.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7474D7CCB835BAFF846B37BC95C80B,SHA256=4D160207BE539034A8E9BE4474155A68FCAB5574D04C0AB77E1E63B7A5149EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3529506C36AE9B8674F9A76F724B2AC,SHA256=6B999D2F5D0F1F09863206D5895E384F3BEBB8CD2A06446186AD46279B7F2184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78D524EC128C5BB26B16D66EBAC59EA,SHA256=E1C64E15F1CC6447F690080571AA16FF8AF6BD1B2607A380609CCCC92187F830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:07.370{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929B95133C2EA33965385E020B194628,SHA256=3503300E01477C1025786BB12FE72AB86F27A81857A1D2E3B667C3DC6B50B922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.569{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3475B1322819180B6B0816E739FFE8B6,SHA256=35587BF49C8F4CC94750F4ADD4A0F1401BF359239E152DFC399346F3E9E25EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F562A05F6FA4D100928B132C673CF9,SHA256=9038AB5426E6493B7E74FA1762E41825FE423C963C5A4CD31837A54462D2AD76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-37119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:08.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF461414AB35AD0678B0F056D997340,SHA256=C621D697872D500AC8835C769E59C4F43B5821F0BF10A15015384B73E360B52E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.041{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.683{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39E4379288A9F7D96E38A8C817B543BD,SHA256=BF17B51C5C567BC536247A8E7E46CAC9E6CC55BEC8399797C167921A3746C84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7734344EC87F44C9C2C8A1F1A8616A,SHA256=6CDD27BD15049729CD815907955203C7BE5411BB6783258A404394C066D5FD5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59302-false10.0.1.12-8000- 354300x8000000000000000977400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017C21A58EE6F8AE58E77A27D7C6F08C,SHA256=A9E9E0D8E08DE4CD629878DCC7230F35579193F9CE2FCC10E5C46463A218B302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE9A3E17C2E52E72A8C28D95AB7AC73,SHA256=AA89510A060E4C5D2F67B7DC28A3FBE9C79112BD91A62DA866E2543FEFA058AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:10.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0609A3DE334A7AFA6128EBE90BE1311,SHA256=CFC63BA5EF5394AA544344811E9DD2222161E02A167183F34438D7611825BC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:10.590{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBFBBF8267B54AC9414BF99064FDB52C,SHA256=292EB097ED00470511E04E5F995B468065099B85B686F73BDF1DB7CC0544A0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:10.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1D1BAE47AFF58445DFF238A797BC44,SHA256=67024C37B2BDA0695435E9629604A878A9EC8AFF0992B619EA32057ED730BCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:11.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C23FD25CD612FB4B442565ECBB4B98,SHA256=131A51FAE87A22819C620D518992805ABE45B8623B9B33DADFC639604D6056FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE475C73DD10A2C1B86923356DE05EE,SHA256=D897D34B893CDD91963BBC085231DF15699FC8784568BD154DE374214C2C6A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321B28BBC11271DBF7BDEA81C910698F,SHA256=84075E23697F9DECEB837A0072C89C8500013695662702024E03161146830A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=737D9483CF8FCF4B16D9261B9488DC05,SHA256=78367A1CAD782CF5FF51B711F4834ED1DEA6240FBDED019296241EE06E3362DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C704683624511F2F358BD8703CCC0239,SHA256=FDC48E2916ECBBA89203FAE180CA162D1E650E7BB6B31BC4E9938BE1091578BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:13.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAEB3B46DD34E6371E9F2C7B4DBA4EC,SHA256=6173E81C4B22040F4E9A36FEC55C7D7EB7944901BCEC10DEAE77479D152EF4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:13.543{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:13.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230D940CD69A0278787171A93F5CE4B3,SHA256=81020D6CDE3E1CE59D094383A7D36D5B76D15B67A20424265D4D54E3FDD162EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579ED770BC30234AE1E721036B571CCE,SHA256=4B862A39054A20D1E3D1AA76E649265AEC447E75D68C51B1D8B56CC70080F0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:14.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642201C9DC76F3CB795B5CF3D14511BB,SHA256=8DDE15DAE2737B56D721359C2D8FE5C48371C1917414719A9CD2C7BE5C853312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.541{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=923D0AAC301AC02BCBBE518A852DD407,SHA256=236AB061387A43944359973A8A7F0106BB03490A200BF3661BDD7EDFFA3E28BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A6140D2627162BE1701C496AE53AD3,SHA256=20BFD0E5A0383DFDFD0E8B616CCF8D880EE8F3E2492DE3B5D5E6E547AB532B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342BDBFAFD2468BBEEBC80A0798B8E64,SHA256=F4AEED53FD56FA440A6E9D79E65CAD66023BAD18C79266551D556F4709CE73E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.172{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59304-false10.0.1.12-8089- 354300x8000000000000000977413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.891{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59303-false10.0.1.12-8000- 354300x8000000000000000977412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.989{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.457{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.413{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-51082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93ED2F6CE956ABF0168C0248015B1B0B,SHA256=528CEF2C7A6D012A5A76B2264970FD1B00DCC99E59644D8ABCEF14EAFB1AA0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:16.806{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFB59E6637B0BC87321B3DA7C9865E2,SHA256=08505C401E9401D28F93790B3688F9D4F1962933140085797A70946E64E269C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:16.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E814BC1BE8C5E39F3B3DEFE5E92A6F3,SHA256=02A39B4DA0DE82CAAE76359FB42F90793F2B0D9449E8530048331CCB6EEE761A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:16.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE6D254024EC7218CDA2E8033C98D099,SHA256=1383751FCDED91E090FA32ED7BAD636A3395194FB08870130FA4FB0A746C61C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:17.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A1D5242086F7D93646E3E9A183476B,SHA256=A2AA5E3B39BE79BEB51CB2614698B6E1266A2A22D0C59BAE48693CDE6D35DEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F328103FEF96685BED0E00C7AD01BA27,SHA256=E23065DD7BA88A750B29D8B842E04456FAA73428E1B8960E4EBCEF5CD6A5FCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D04F207A48FC3E1C5522956C02F0FA5,SHA256=6A82A6D8DE0865F1ED1AF8A38C80F0EFC545B50C7F876B308DD74E00F43E518E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:17.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A26EB27B7A6038AC8823B8476560269,SHA256=2DF7B684EE4284CE1B2ABFBF7787DB140C122C69E2A69CEAE4D860F6BCB5AF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.896{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:18.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3FDC3177BAF0B05468666A895A3D46,SHA256=F9511AF5A0E5F691F73B8DA7E4A8BE086511923775CC68B03EBD7AFBAE09E424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB5F6CADD71D8F7295DF02512F975C6,SHA256=D8DE2D2D8FD177A3AE71B5DEDF187F2473E15EA02DCE29BA0E7CADA199F5DC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:14.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34087-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C7C27BDE93B115C89BE9BD6A5D71C2,SHA256=20B7684BC7A0F54997E78391145F5E5A0486B89EF830940D8E811106DAEABD8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.995{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53261-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.995{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53261-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:19.857{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8681408589B663D49D0BA6E8D61EEFF,SHA256=65F454C75A0AABEB5094C423D4BBC2A9FD23EF18CA4B1EE44DA09302CEA2E4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA1F07B3C694F1A4894C50305B1211E0,SHA256=A5F2F5C338FF0F562E7938EB6E5BF54E8E36379F46521704EC2E9305A716ED10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21DD62E036850E73D4DF4DE428F405,SHA256=54C5A0C5875AD62FFBE0FA382529BF034616D447D241C4FBD6CBD9BD33E89E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:20.887{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3A18EAC469D275D71945918F7B13E6,SHA256=893F77B80ED31AF89D7C12DFA6C8ACBC94755AFBE8E9BDFC0F3CBED3B9F13C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:20.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1AC72C0210F10F406A139C49F3E3E9,SHA256=F5FCB87B283DD6EBBF70605431D9E1FAE6C8BD19CB6DB047CBB663CEF3121FDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:18.251{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52260-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.955{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B563A2C3B7C2AA2970D33709F04C30B,SHA256=4844EF37049F9AC0A537B92C01AED43DD43725AFD0BAC9D8E48E4C8F46734FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:21.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395A27729E03FE70720EDD50CE9D3FEA,SHA256=CD5DAE4305FD6AEEC3BA9304A9F91C92E61FD39ADCB2557513363AC336C19E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.528{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4301MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.209{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381146BB2076FF0FAE6594020E49CA6B,SHA256=F7FDAF7B7C7D8FF205751570C4B1409691CD62DE56E486EBF99C32FEE43AB623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3045-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59305-false10.0.1.12-8000- 23542300x80000000000000001048813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:22.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D141F88E139D4DE12C73FB1C39C62D20,SHA256=717E873429F289391D949192203A14A783D001BDAFD41CB59DE09B53483D69BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:22.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9646FC3AD45AA835B5A1833DF33D17E5,SHA256=9BCBC32603A3F9C9C396658787A8E81A23A10E433CD6012AF6E7F4CD7EF310DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:22.540{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55062-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:22.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF24F3126DC18C2F1043A326C7E350B,SHA256=9B7A77BF37CACDFB8802CCB63D774A1D621FEDA6771B2ABDAA4B2C88989B5842,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:20.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBDC12301C10ABB7DDD6B816CC02AEE,SHA256=B29C7D628B3E40B782DE11A6C18990994D9E15748CB98369130BA0DAA765739E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.909{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:20.916{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA15CCA91EE8A16B5EB8CEED0A4D4037,SHA256=BE6910D750AC411ECF5597A6AA5F03CAAC75F0AFEB33FCCD599BD5D3712FAE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:21.054{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:24.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F7EF6711BC52274FEF43DD5E82E354,SHA256=E80DA69163311FAA605F1E492C28188C56EDAA01A853ED6E3519CBE599F0952C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:24.025{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA45F2BDC230277EC3DFC758305194F,SHA256=647E0AABE05024D07065113360D607B0E2507AA0C4D30223BDA53EB761407075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.904{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804C167024154181BC810923D7044C7,SHA256=AC82A9BE49B3D74EB03771D407C91EBD1D53E6045AEBACB1DDEC3EF1F19313A4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001048825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.461{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d2nxq2uap88usk.cloudfront.net02600:9000:21f3:8600:a:da5e:7900:93a1;2600:9000:21f3:b000:a:da5e:7900:93a1;2600:9000:21f3:2000:a:da5e:7900:93a1;2600:9000:21f3:4600:a:da5e:7900:93a1;2600:9000:21f3:7200:a:da5e:7900:93a1;2600:9000:21f3:8200:a:da5e:7900:93a1;2600:9000:21f3:f000:a:da5e:7900:93a1;2600:9000:21f3:5000:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001048824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.459{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d2nxq2uap88usk.cloudfront.net013.226.145.65;13.226.145.44;13.226.145.45;13.226.145.126;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001048823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.150{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57246- 354300x80000000000000001048822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.147{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53962- 354300x80000000000000001048821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.060{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51283- 354300x80000000000000001048820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.059{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53263-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x80000000000000001048819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.055{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local60390-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001048818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.055{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55560- 23542300x80000000000000001048817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:25.055{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F61753CFE9C9172241A4C9A18A18D8,SHA256=19DC81B1C608D1B58E661EA5725C51A76381F36CFF4A78E6520BB5C7457DED89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.763{69CF5F33-8956-6151-9779-00000000FD01}37282504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC637115C30A912170C102EEC35A825,SHA256=9A0B1DB3E492C7258290BA7B9E11B75298CFBF0FC9771041A21C4EA8812409DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.592{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.862{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-59656-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59306-false10.0.1.12-8000- 23542300x8000000000000000977453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D22CC3366A252C074AF4409CBF265E,SHA256=A4B6EFF452C781AE777AF329E56AB47C494015985A15FDFD318791D4AC56158D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:26.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A7EDBCEBF5357B054E6178DB6E9BD9,SHA256=D17E060DFEACCDA3C72DBD5BF1433CFF13BB808AD9A627F707C97B7C38CF6265,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.169{69CF5F33-8955-6151-9679-00000000FD01}13121052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.967{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BCD5ED3052B02E2DA8B777E135B02E,SHA256=C9B13BF7E204088F7F11FBFA20C8B25B38507AA705E3C2F694B8F0D3E9695E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:24.237{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-28137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:27.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D6BFF6727964B86D31E0881BE8AD2F,SHA256=78AA636C9D6948F77AAB8D98A6CC29ECD27ABDB11FB95F0B0A13803E3B4B35AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.280{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25691C7AF80C91839BAFB01C02103264,SHA256=D611C0F40C207AFBC7F84211A5F5C56EF79AEF0A621AA8F140EA7C548D5871C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.654{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:26.830{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4DDD0313A8B172AB6B4A0F7D5537B4,SHA256=318C400A8207CD01F276F1C23D66CE31D4A843B5A57CE0CE6F6AE18C350B40F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7824617F5FA185225D343441012CCD90,SHA256=62D1D445139FB6B15DE003EEC352F1D150FE3E76A553BC352DE1122D195F7A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.142{69CF5F33-8957-6151-9979-00000000FD01}36923508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759D5309F19834A7BFBC4EC88F426AC5,SHA256=2609D9EBFCC6E57CB2074980A73B439853F0FF73BC67A3C0F08013F30661ACB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1836191B6C954DFAB6E7278C33C74AA,SHA256=D6F68C34FC1F72A8D4BFC0C4BC60F3101303F2851C9ADD5325FC6462A972F8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA28EB1BE263FD212AF2B6D5EE0505E9,SHA256=0D415F80011E11DD5BA957C3E9590EF6B7A28B1A44A81C6DB182E975EBAF280B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.208{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDC99F787BD36D8CA17F4348F8BD083,SHA256=37B7E0B97B9BD63DCA38DDAD1B02582B711D641DC958E8990A6009E9E1D5F17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CC11F5DFEBF40C59CFB5B7400715D74,SHA256=82EBD844E233715124937895A599ACE390723ECCFD7FDC47DFE42CB95B81EDD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.529{69CF5F33-8959-6151-9B79-00000000FD01}25002688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.342{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:30.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A0B8A4448F3CA6A4201B91FC6D2A73,SHA256=A7525312B11D7831921E8A3660B822EB4F46F73A109869F6008D31141B2463E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.286{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-49183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.020{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:30.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9F0B31D57CB2CA3205C59FAF4C577B,SHA256=5567C4B0E2ADF3EF7FE6F7B8338F0C284AA423D2A1907EC19A1263269E9735A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC7DC294EDAB05E488F096F9B0455C4,SHA256=F153B3F9B6511BEEDDD294512727C82A11707ACC68BCED725C0A78B022CF9B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.604{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.316{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-57596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:31.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B02F3300E51CEF5FC19E6B9EBE047C34,SHA256=58230CD0B563C7848FAD093559504307B51AEC844DA602445E5CC436C49B88D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.206{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.206{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.541{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B64CE76A2E29FBCB00F29CB03C38C4F9,SHA256=B95F798392928258F5A42F20897BDBAA231D88B41AF4B1EA7E027BCF0E4474B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.306{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E84E4E00B743AF2FF6F86D052D1093,SHA256=0BBCB30FEAA5B3D6BA29C36ED19D93365071A37E0AA861C4A8620CCA93F00F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:32.497{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=79A46BBAB59DF7ECB3CBDD40AD461678,SHA256=501CBC8B5169CC4A15D930F5904C64CD7C3D0DD4A4B8A4E588152E86C8A56A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:32.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4840CEAAD7F1AB3C2D1047CC83A188,SHA256=40B4F53B4821EA13C97FBB332DAC709CEE60417103AD5947BEC13E7F3F0C9B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59307-false10.0.1.12-8000- 23542300x8000000000000000977537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:33.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC6FFC9F5A1CAA85A6FB474C12DF9A2,SHA256=DC29DE8C2158AFE178FA02FADFC038EBD6D689FE41E96F414D758D31B64D43EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:33.340{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B5523BB6D702471A57EE384A228233,SHA256=4DA6CF0F8337D30F7A5F119CAE9C1A1B02A7BF7D7A32CAF86809ABE825B22E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:31.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-11413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:34.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D57A56495341203A7176C48E98540B,SHA256=9A986EAD7A25301940565689F01219D2D2C26E8EF26D5582B56A6F5521843814,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:34.371{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F82C45126BDE25D822956FE7894F84,SHA256=4748C8988911F222087F04AB088543E1D47B7D37E564B4A16B2CB22477CA8D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:35.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D00BD8A77F0CA7D4112F4A6307AA47,SHA256=00D02F052BD45F9D31822563238BFAEB0F16D11E49A1B8E9C3684661707116C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.955{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=A0BD835E0DD1FFDE0F054BC51A3DD10B,SHA256=7FC9DBDD49BB829249853D095F9ED5877F7D3DE1A03E80F389B25644E78CEEB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:33.264{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385A227AD41E56CC10D225B0B01D003F,SHA256=5C09760E898C5CFEF48EC29A8FA09D66DFFAAB54547CD486538CD7EBECB758E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5C802557E9A7E6669F80C2420303E2C,SHA256=246A1451E64D99C7B4E27D0B65934D8A42029559440589A06ACA95C167656365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1836191B6C954DFAB6E7278C33C74AA,SHA256=D6F68C34FC1F72A8D4BFC0C4BC60F3101303F2851C9ADD5325FC6462A972F8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:34.360{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFEB72BFC19ECD1BB8072C898A467E9,SHA256=1886003376BB2115557D6C80C3F2DA3222418F4E48A62388C2EC9660CEC33E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.487{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0ED915773161E93C9EB5B0E4CB111B,SHA256=AF9AE896BDF50859FBC116BB3C50EC172BCD0F20EB78A84E4D3C5794B8759621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F96A9E0CCB6B6FAA31B94A22C578EB,SHA256=237D1DAD7BB810CC96427DF0BEB22AFA49B2118F2994B649037C334B437AB896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.748{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3405C8B54337B4A7F8D9E2F2C6577DBE,SHA256=B8B1596C072AD22ADB5A0EBB6DBA1B40BFBC37190AD181D289F2BE5D0C1DC661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:37.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5C802557E9A7E6669F80C2420303E2C,SHA256=246A1451E64D99C7B4E27D0B65934D8A42029559440589A06ACA95C167656365,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.969{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50594-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:37.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC57364381D7D6645E51AB0ECA198032,SHA256=59C9F2A789978ABD81653EE9E4591EFF80F4F2BDEADAB9765E972EFC74AB2DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.163{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28E45E4DDDD953ACB408073EABBD8F,SHA256=03050D1D067447D1AD5388C7F197ABC7468EE0CEFA9F6CF5CC675170DE309828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:38.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=763E6FC14725988EEE00B6034AE4FDE3,SHA256=99931E1DFC02F0FC3E83D551073C197CA8CF497840FA84C53362A1E619263361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:38.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765D9ED40CC2948D80A6B8A8EB0D93E4,SHA256=6608B66D78E0A15A1F245BEF8E6062084551D286629F073CD7612874D71147AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:39.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105A0DCB0B585D91B1D7E2A32CAA435A,SHA256=6BE6C8B1931753996553A64143EA9219E97A16C490A4B17069C42B880654B609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:39.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A7B4DF3D39364D271E1D2C3CEE3B1,SHA256=018F48E1810EF28F2E11EFA0104F56C22E041EEFAC8A000F4DC63ADC3BF8DBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:39.223{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=98AC36DC0EAB602C99E1F91B1EFB5A2C,SHA256=9D04587B201DB748B86645B132C2ABB5F720F4BBD852471A3164139EADF9A589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:35.720{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59308-false10.0.1.12-8000- 23542300x8000000000000000977564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:40.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C84D162456F8A8C5141986CEEA0E12,SHA256=02E65EF9C8DD4F26F79F44CB2545D1CAF90AA724FE1CC91E8A1C7F22B0589B1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.746{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.643{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:40.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD63B568F378C8A292DB55109778759C,SHA256=CC6A640BED5F10205202ECA29ABD55F9CD71663B2E910DB5293F902D8787493A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7117FB3D7CF70859271CDC17754345D,SHA256=1CEDC047D21A01F83570952FEA5449B212901D9DC492F7E0E98E54EBFB5ABAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898C69D8227175005AAEB2A7A197784E,SHA256=E07E4EBCAA5FAE6593CDE17AE6E94D75CCE8BCF3137C9C76B36EBA009E61B925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9920C7DB240DD75BA9E397559C172CC,SHA256=928D2BA762E556A978292DA9050519523F020923A8D5A8076416355B4EAA61F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A0F5269E850F68CD274EAE454D4540,SHA256=CED5C9032E1880FCFCA0A96740024585D992251246A87592FD608E1B70AFDB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:42.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9E5FFE58BC991D6CB3D3531219C40F,SHA256=D2F33CB833F2F9B0799193AAA8A6C07B278FB0820D1B2B6BFB0F140E7807CBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:42.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35E57FF037DB93CA14B669DEE11F9E8,SHA256=DBD4200D1C58E250FEC79B94BEF9C49B9D7B0FC6E06221680BD680D410A96302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDEEE520AAD1701691C8291C60568B6,SHA256=80AA1519917CFA094219AE91E9C206C31E9DF0D6A1357CB834B42E9ADF6327A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507C3D492A97CAE0EC7B770E245D66E7,SHA256=7BCBA381724177399E8131EABC3FFAE7BEA160A55AB2B10A527EA1310D9A48E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.839{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53270-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x80000000000000001048920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.837{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54648- 354300x80000000000000001048919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.835{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50932- 23542300x80000000000000001048918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=09787D3485A141AB7CAF4E45097E41CF,SHA256=A4241698C55A5DDCAF3E4EC3F722118F9E907950C6C1F7392E2176F1E1465A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=1AEEEA7EA60A51A8F1456D70A42D8B61,SHA256=B2DF4398A94473215D5780AA01A99E635D9682ECC0348239499A58FC9D9D5120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1A2A0D76031427C66DD5EA7ADDEC1512,SHA256=44AE352EAFF903AA7391A6F54B4E361EB1EDC0CA0E1DA31CBA95030BF9EBF54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.526{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2F5C392EBC79E27B8B9BAD15C7CB74A0,SHA256=8A7C7434E00E8F4027865CF9485ECECBF5FBF8D53A9913DCF047649DD93C9059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.525{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=064538D3390E65CB233A19B688286D61,SHA256=D36C3EE688F25BDF1DA9B30054A9CC343255CDF9A0C0BD61B0D9FB3690C38D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EABFA4D2C461CD15F82B300153CDE73F,SHA256=62D601E2F9E2658152D37C6D33F9DDCC9E55CC84E97FE9F73D21C900893C4B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:40.437{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE6189F74716A8F32F14CCFEB9F379BF,SHA256=83932E763C98FE4DDAA607F84CE87F110EDDB391182C6A22E9FCB1799437A630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=09730D2F4F3A8D37AA089DE0FB5A9366,SHA256=994D7D3A877BAD02F071B9706C59131E2D758D189E15749F1B30F8058AD74552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=96C2F19F1842DCB0D73739830623C769,SHA256=D0419C462A55E1634AFF5B51C08E481312AF6A36B5EBA1AFDC2458967705E5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.460{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=96C2F19F1842DCB0D73739830623C769,SHA256=D0419C462A55E1634AFF5B51C08E481312AF6A36B5EBA1AFDC2458967705E5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.444{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=1AEEEA7EA60A51A8F1456D70A42D8B61,SHA256=B2DF4398A94473215D5780AA01A99E635D9682ECC0348239499A58FC9D9D5120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE6189F74716A8F32F14CCFEB9F379BF,SHA256=83932E763C98FE4DDAA607F84CE87F110EDDB391182C6A22E9FCB1799437A630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.344{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.329{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2F5C392EBC79E27B8B9BAD15C7CB74A0,SHA256=8A7C7434E00E8F4027865CF9485ECECBF5FBF8D53A9913DCF047649DD93C9059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.281{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:44.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24016027E2BD54635843E0F602FD5F7C,SHA256=BFBC3565C0BD735A185E8B8AB2485A86CC4B518C6F0EBDCCB39E1F1CBA087DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:44.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F57F41D48557A674E3A0A585D004F1,SHA256=C4690D1BFAC2A87F8F2F9A5B867B9C9DE9ECBD7A2AD72CF01A4EB43C016A9434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.945{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B0C13650439F48009C6B31AAACE082,SHA256=41F26C4E5271F64968A6E8D11A746278080297D08AC74F0948BECEFB426AF5D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.760{5EBD8912-8968-6151-087A-00000000FC01}64125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.766{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59309-false10.0.1.12-8000- 354300x8000000000000000977571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.111{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.577{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:45.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E341302F2E5171111F66F5D63951D5,SHA256=F18A98A1496F9931BF89BA9174FAFFF283B957926CEA60CE7AD66420659676AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.960{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.906{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF07800C28174DB13530E1CA70F271D,SHA256=A716C02A15A1F048CFAACA918A9F08498D6427A282A71AF3B5A6EE35DB605C88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:42.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.333{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D71F52700DAF119D3B9540D5B9D7E49,SHA256=4B75E901F4841853E058888C367D1C49EC465DF83C02E09FFE33520CBFAEC11B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.261{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:46.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D4A4152E706B9733C51F98EDB25F1F,SHA256=3C68D6A032D80B8867917A0DD4C8DB6401AD7CD8193549588FF5F00D59BE671A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:46.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9AAA193724FB565BFCC5C79C98D23F9,SHA256=A80C183CF55CB306AC683CE5F536913B9861420821DCCA46DCE42EA2FB06CED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:46.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003107179FE2DC6FC1FEF67BE8AB5927,SHA256=2EDB07031F6CC7E52D2529E2E1B9DFB7A3B0D8B2EBCF95FAEDA55F2222A7F177,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22883-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:47.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB3360CBD28FBAE0ABE4A0D3C5CA82,SHA256=A5B2D4319EEC077BDAC390599C5973D3BDF1C17F6166F0763C2C0FC7AD35EFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1577BE75EA368F538292DE267909DBBD,SHA256=3251ECC717E273A04A765A3B4CA5644643C0F8ACB85158F4FDC3127FA6D0FDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:48.358{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:48.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF79F06D4F6769E29F407C6D1324537,SHA256=D5F61E20D494E423DBA9EC947D2119A4AE6ED795F58D303B8F415B7844D0D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3F9D41FAB4178D5186A6D8341E695D,SHA256=E07736487E3E93DAA0AC58045374E413FCF18F8012E5803EA3D70C4BDDFBAF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.988{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.756{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.123{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0A44ED20CD1E8394F0120DFB1A56E7,SHA256=038977DEE4B113139EECD44B9FF7D7E0C9D056C3EB64546D4019A8E268A9B4C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:46.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59310-false10.0.1.12-8000- 23542300x8000000000000000977583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:50.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7EDBE2004D6FB98211E8B3A0EE8E2E,SHA256=CCF789D11EB5B9C0B4A16CD45440A96B35C4AEE14B3BE9C1249AD48CA570DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:50.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1263961E677D3FA9791E3ADD4166BF86,SHA256=93A77D433C9DCD845A500B8018398ACF6DCA33AA8662D6D682622029B0052E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:51.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4816014BAD4C4F3C32A3934E61DAC66,SHA256=B605E0F166CBEE58C400696C3CC5E361B628323674499E7A6DC983EA388A4CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:51.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876BFC52216463AC719A6F238C585EA6,SHA256=0CE2057D8D1EEA9C9BC9C191CA5A50844A70B78B66734CD194F5A005EFC5BA61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:49.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55557-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.722{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-52529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3873876974A4022766CE32E958464E65,SHA256=3E34EFD9C7DAA95F35A66CD3FA7E80AF0D97D431981D7ED813C63F16FF0CE0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AB295E1A21E8A8425E1C6C56C0B488,SHA256=AEF71F3E3D08258917FDD1CF3FC612A95D802C7AA7A0685A0FD388536081249C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC49F81E0825FEA2D345475B2E8E87D,SHA256=086F1A722A04AC6CA5C8C61C71F75D1D6E09B4D6F2AD7F9C9ADEA7F295C32BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7832B9767F2F96AED8ACBD5F0BB16A08,SHA256=9F50B6A1261459D102C2CE351FE278CE49103DA837020F7BA47CE3DE7D813FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A0C7EB73C3C99CA315F3420278C653,SHA256=7BCE302A9B2F87BB57B54CD4F227C99C2DFB8922B539A9BD3DF2155D9151B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9DD017BCB667C07810F5EE6C029C79,SHA256=FEC97E1D0F5FF570FE57D0D1E6560B792E6CA5EA983C40CE60484817A53C6F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B886AC4276969FB0BCA6A4149B2A4753,SHA256=9DD2A613CE53EA3252D765819FEA906E32C124081BDDCF3296161C82C186367E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2350DD2D660886B140F28BA6DB7D2F92,SHA256=93A687414D8E5177343624F041D8EB3DC3F6F552ECA63B67FFD8E31D21438B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:50.786{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5145063FD4F73BC84CD443685AB4B9C,SHA256=6EB4176DE46E200A57A3D279E5B72220A66AEE0E10228AF88F74E33BFBD08995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.882{5EBD8912-8972-6151-0C7A-00000000FC01}49801424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.991{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.698{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9969D8AD8019BAD72A1A963CA11886C3,SHA256=BB950CF33FD1661CAC597B9A288C5E26F461716578ED8D68EA4C9EFB90FBD531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.532{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4302MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.231{5EBD8912-8972-6151-0B7A-00000000FC01}65681644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.272{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.047{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.026{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F857F7610EBDC59195EEAF8580FCABE8,SHA256=2F3BDB3FA8402D1CD31F6475F6B9ACEAF45D23B08D5ABF5CDCC480F85833F47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BC93D65D707D924FC4CB8C8A970C50,SHA256=0261E55DA83C8996115A7F6ABFFF757AAF3D96040E92C52370BD0705A2C6B6AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.484{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15-64586- 10341000x80000000000000001048999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.582{5EBD8912-8973-6151-0D7A-00000000FC01}60046024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.398{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88706E549895395D5B5C432E23A0F8D6,SHA256=D02C0F15F2F7A3C4A8CB8F6545B17C768D7C33F72E319819929A9BFB9220B39F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59311-false10.0.1.12-8000- 354300x8000000000000000977595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:51.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57188-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.531{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9DD017BCB667C07810F5EE6C029C79,SHA256=FEC97E1D0F5FF570FE57D0D1E6560B792E6CA5EA983C40CE60484817A53C6F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:56.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32610CE1A8B47CBB782FDD2274C0975,SHA256=8042B1ACE6FF5C8544C58AD0B4471FC78E369C43E683EF1A754025D74D0C635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD43ED0A8E41C5EDD1BFBDC5897BA5E1,SHA256=5265F03B75D52EA7960D82C380F3CFE6BBA260B9ABFA4EC6A570AAA73D2825C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAC23C88715B3BB676D18A182F945DD,SHA256=F777110D6EE5E2858D7AF6E6AB81362931776414F1CD88C0E70C16EECCEB5BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.136{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.099{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:57.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F3EF4F52D420A1C5E4F3225886882C,SHA256=250F3E318761096D684803C701AFD422F933D4EE8C8A2B1B98F799B690A96FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:57.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063E50F84545E867379FF2D0806BD403,SHA256=732B283B33286EB0EE25CEC3B1AB58E1EC064D858FA638A4C68DF6D9BF538503,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.931{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.422{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local64586-false10.0.1.14-389- 23542300x8000000000000000977604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.843{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3AA5306B21D6AEC973BEFF4831EE6E,SHA256=D42B7593B64D429DDFCA56D2A2DFCF33C77AF2D0CC571510CA5B230024969D60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.774{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:58.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C76F31381105E87DB57B2C1D92A8CF,SHA256=DCA692D1609F0CDEBD681927F7A92AE6A3F6828F16D96767ED46D6650431AD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D76B9460310FA082816EDCC43B4799E,SHA256=C697E5C391A3F0EB67CF84C6CB645F807F9C5A9C152EF3F1AA82E66D3062349F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6DD7685DA4446A3A48FB499DFE3370,SHA256=DA1EE1639858EAE40CC666850B7B8B77964E6CF1640E2AF24208C863C27525EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.843{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B051FF3727A678E1861C3B67EFA382,SHA256=AE971698A12F6BCFA8C4DEA3D5C9C9CDE862AEEB4271154B6BC587DE69A7B9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:59.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22372538F39E2F4FA016D7AF8121A124,SHA256=B74D31A563385FED29831689F38B3D83ADF9B6F3791F4CCA6BFDCCA09F4BE030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:59.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A5E4770E3B643A07ACF027EC058647,SHA256=F94FCFEA2CDD81BF81A1C6C70056AC9E2ECD4AD143CF7C994DDC64C8CD966F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:56.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:00.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C20BA74F06CDCF73DAB69D7516682A,SHA256=A31DBAC9A5636F1774865DE17004C7369A98BDF1510F7C90B3A9DC287D90A68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:00.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000AF7F8D1D420B81198E55C26AEE408,SHA256=F019EB6E0CE749C107D0FA81EAA0C25E2F152DBD041063407BF16A2B4F26FCB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:58.033{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:01.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F9FBFB55A03C47E8806F89897ACC7B,SHA256=1394FBD67724D60A7079D212E2B83E7792C57B4D84859324CC1C808ACD47ED2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.830{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4AF9C94F7AE6EF909C91EA04FD0165,SHA256=A1DD02FBBA424DA3D7E3AAB04AC49357BA250F2A210413DFB73E1064F533B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:01.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CE60235CCA179FEA0E26E58A2ABE5FC,SHA256=9774C3A77DA3A13A8D0D5BEBB2C77D99BD8110E27F16C04A29FF0FEA3D6F3433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.099{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=CFC2022072461F7DAB555B50898A3BB4,SHA256=A7BB26A1637BEFAAE6E03AF6FCE701E00A67EFFA7BA4140BE4EB555597761A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.986{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:02.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A56469175F6526095598F0DD65C1A9,SHA256=9F1B4CCDC15D1A80153B641CCAC2FBFFDC961FD5AC13620539A484764E3F127C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:02.567{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5142F2248739B33774CDD074A12F4452,SHA256=28ACCAE8E484EA6CB15675E1B5D1985A3C5EC0782FA79C713402B3DA6774EDCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.816{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59312-false10.0.1.12-8000- 354300x8000000000000000977611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001049023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.282{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001049022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.267{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001049021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.267{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000977616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:03.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D229DBC35C0AD18EB70C49D41837B0B,SHA256=52173F3ECAF41449A59F0E7E48828681CD84D197D1BFCB921C708AF71E6714DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:03.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2206261688DB4624354DA4E9F37772D6,SHA256=C61AA4E4E0D2BC686549A10FF42DE2AF42506BE0FE18EC131486F25117AD2BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:03.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4630456FD275BFC228A484D8DF66872,SHA256=F63A66CB21238070DC8E437BF07B3C289A7AEC20E9A7CFAE0EF095BC68F73793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:03.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B11B4AA03F4F7A9E1C19AE819D0B720,SHA256=84CE54830FC0D047025E80D1F59678886E5E96D26CA307FF2592970021667747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1B0CB1C5BDE54D7BF430CA028C5607,SHA256=F0C719F9C9D338FCFC7F1EB41EDA99511E0B842CC27285A31F77BE93F11AAFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:04.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193FC648567ED03CE8735FACEF362342,SHA256=CAE5AF65D053AEB0CFD9637D2C1526E9404921CA7B1E38E2997D7A8653FF094E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:00.780{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.991{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.991{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.979{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.979{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.960{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.960{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.921{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6FEA3FE2E946A01845710B42FA7A46,SHA256=343E4E50B14843E4D3A9339A7A4AB0B9DAD6C932AC92C24A29F8975859FD520F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:05.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041E566C1A9444E79B390C78D3823FE,SHA256=A2FF67FC474143F7C759246B5414781D56AA8AB8A67F16C9BF9868CA7FFEAE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CAEE3C49DF44F1E35A641DB4B8E7F7D,SHA256=568C15A04D0B4C25A213A75C937B1D36FA65CA87CC5E152E8F17D9F1929EDD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:06.680{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439D9A4254A58F7D5F1D1808A1C43347,SHA256=F2B8398A2083519E9F662F2AA556104D6118267815B94FA87FF31186EBEEE09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:06.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B786EB4EEEAEA344D4FA36D0CACB55FD,SHA256=21763B2EE656E62A946C2393CA5B99966DC6D8A02B53840212D432AE2A334F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:07.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EFE42FB77D0F6DA1D90FD0A597A433,SHA256=300AA9E600A8DE3233B5F6D19CC35A72B2603CE8D657D03F16CB14E4DD97BDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.711{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C99A19525AE00AB829C31DDC9C8BA,SHA256=BDE09E9FA7B4C2F9C041081261DF76EB52AE9AC7E72D553DDC65B9782468300A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.149{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:07.282{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=664775F433A71F60D845DD8500182D8D,SHA256=6A8C6D9BA79D9CFEE0C6D5D5612DC9C998E623C37ACB34CA3F964B1A676DB1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB9D4537C24F854A7F161A7E16526A4,SHA256=E91154A20FDF483045DC9C179955067C02E036996B765047A1569B8B9CC40B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C6CDAF219836444A05DD20121B0E225,SHA256=0B117E0321B8B0EA9F9018DC1C5012795F43CB518559EA7E977C23FAA1CB9615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27441CA31745F983C357FEDC4BABE44,SHA256=E4668066A3E9603292D701DC5BBD9C9511027C2B7080F495705C2632C54BA379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:08.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9785848187177B7AE402DABE923E43,SHA256=AD5FEC5CAA2C92D544DCE0ED848EAA809ED5CFDAF334F85F25C305A05A5002B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59313-false10.0.1.12-8000- 23542300x80000000000000001049042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:09.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F9DF6D72174B125A4198CB0631144B,SHA256=C9230A4479FEFEE62C54982DED573C1043E1E878406C1F3FFDD0DED8A5AB244E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:06.266{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41936-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FFB4AC44706BA19EA3BA6B0B1EA64B,SHA256=DCF04BFEE1521FEBBC716CD2EF2A55E539D016A506A52AECCB40640CA6992C39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.141{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60726-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:10.735{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974A617EF7FC593A9875780E9C965169,SHA256=5FBE6D2D1AD6947704E5FF7F494753FCE6460F6EEF671F8B995B531A3E8EDA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:10.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6CA99F0215F37537DE023EB543416A,SHA256=14ECA86D12D5D3CDFE5ACB8635A44DCEE7A8F7E83D470C8A41C6AD251039B4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.859{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:11.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B58F7D4834C196D3F8F4544971D86F6,SHA256=63C17BADA0BF28B85B61F3F6F0B068725857BDA6B7AAADC9237B4ACC639FD064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:11.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F11C8788AB5DAC1EC5DD209ABF1384B,SHA256=E2E99068C8FA873DC13FF7249F2FC296AE1A4F9631232287DED81FDC4D15259E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:12.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43DC070014135CD21A1C6A4D037ACAD,SHA256=7E5B40C39A327FF0FD6D8F41A621675F4654FE338853485BD4F5018A33D35596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:12.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED65C8090823CB265DA70121A0E2B4,SHA256=FB0021A89A60ED643AABECD3DE268B4F5479F1088938E933F85E3C14A9EA6677,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.817{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59314-false10.0.1.12-8000- 354300x8000000000000000977632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:13.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218FD7050D7AE67B4890E4B4CCE8F54A,SHA256=DAD38237C60B0D673C793E80575A4C92A401E5471611DF24991A63499E5B83D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AABC42451C5F864CD0BE7AE49239108,SHA256=AA16E01F98F58CD3413686FD610DF8C6CC48D25740558B2D2DE3CA16BCF3BCC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.547{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D5D976E58047F9669485F67986E38D,SHA256=424F8F2FE0F6447CB6B8E244FCDCB1E3D19DB11CAC814C20B144DF8C3592E933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:14.997{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B77E1C7BB7399EA1AC0057D1C46836,SHA256=92286AB61FD6223FCB73901673F4906042A92013E010DD66591D5927C1D15128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234EF1755B01BD901E71C7CCC3DFCF11,SHA256=1192698C1F14AB64AC77F08E3369BF6551AF779BAE5281C8F8C6C0C8668C27BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86106F199DCA6DA6275EF7A86DD809F6,SHA256=9C4D70CDA1347565BC8597906C94C9755F59C78FFD20704D97963B31F97C4EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:15.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F46F0FA84FD980210847E3B53A376,SHA256=DE62060AABED9A03EEB9B59AC39181A204B47041DC0256C01430F6831C430385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:12.192{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59315-false10.0.1.12-8089- 354300x80000000000000001049049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:13.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E2FEE10AF30409FCB0338C66E20287,SHA256=66C19BC3FA97C77BE34F65928C881EDF86E729E7C75CB66B79119A175A278A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB9D4537C24F854A7F161A7E16526A4,SHA256=E91154A20FDF483045DC9C179955067C02E036996B765047A1569B8B9CC40B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7350F94437F1788803FA091F0772D58,SHA256=93D42BD73AAB529E51A6FF188B4A5464B26EAB2853C7F2568F99179CA9D9F638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:16.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234EF1755B01BD901E71C7CCC3DFCF11,SHA256=1192698C1F14AB64AC77F08E3369BF6551AF779BAE5281C8F8C6C0C8668C27BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.563{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.563{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:15.327{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50684-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.044{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E726DD3D8472C8B0C1D66C699A41BA,SHA256=0CD33E307BB1E81636DAC8C7E25123DD503AA3798B5D06D6F20B054761258FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.480{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.670{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:17.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D4221973DBA6621727627FF078B172,SHA256=9A6AFB0C7B4A60FE0FE136CCDA34C475DF92C85AA9A7210C33BACB6B6323B55A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.003{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.003{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001049057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:18.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F29BEEF259508227BC7FAD50C2D17C,SHA256=3441DBC0BDB6ED4303FCA7702B412310BE6F5310EA9E88D02C25D1D87D092720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:18.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056BFB884669E51F9C283CAFC85397BA,SHA256=DBEEDC748DEC988D7BF8ACB4D09F0893376AEC2588783F9CC4906731B80965C4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001049064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.903{5EBD8912-7B3A-6151-3A78-00000000FC01}7120pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.155.6.125;35.167.102.239;54.187.157.95;44.239.125.99;35.162.134.178;52.24.163.249;52.37.158.247;54.70.80.82;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001049063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.594{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50084- 354300x80000000000000001049062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.796{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55878-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E2FEE10AF30409FCB0338C66E20287,SHA256=66C19BC3FA97C77BE34F65928C881EDF86E729E7C75CB66B79119A175A278A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308C755A2F9F677543C986D465F4D0F7,SHA256=18BA80179BF31C3FF47FDEDDA1E9DD92914AB2072B67E4994CB7B08C0F9F04B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EE375F4E0FEBB1B1AE236A57835E70,SHA256=CD926AFD88196A1FA37B82A36E7D9FE24D7A91293E66E48C2DB6F978CC551FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA34D5B435EC7025F403E7C136ED46DC,SHA256=44FA42C0829695D282A9A5A7D28A4F066AA764AA06572FA47827136E4C64BD4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:15.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59316-false10.0.1.12-8000- 23542300x8000000000000000977650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:20.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF42AB6EA5311BF40284DE176359154,SHA256=298B7F28BD4DCA092BD90934A490BDD736452F11748E4124F127F2A92E6DA1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.962{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.740{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53281-false54.70.80.82ec2-54-70-80-82.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001049065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:20.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B699741D4A7D4B5DCD9E0655F66098F,SHA256=7CD97B0818B9738A398DBFF349CA05891613666C38FDAD5C98B0F344A64DC4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5860FE5FED4978557F9E7F43FCA8F9E,SHA256=271EEDBFE1159C695AF54ADEC08647E9B1C9604D16FE8335B26A4434C0D773F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:21.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B0BF93414C74245AE718E1F83BC03A,SHA256=2F82112101ABBDEBF66CC994EBC3AABE57C6DB224F3D0B38087D1BD59A637CE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:20.032{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56879- 23542300x80000000000000001049070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:22.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEF5AFBD866227D27F66171F536DD40,SHA256=9BDE7F96199E5B6C70495BB0F3E6340F27FF020E52E03BC756B12390776FC6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:22.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6059427097F554811B950D134BFB1B06,SHA256=26C46DEEE376A0141AD5B7B7541714921A37A90FC10938D6652C693C87145768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:22.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE683B22D254D27D17900492553137E,SHA256=CE47E446027F4F9BE65E7CADE948809295183B82D68CAFA39B539382990670AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:23.191{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55EFDC1DFA17454BAA6505561428B7D,SHA256=08EAD8E323FA8EFB2817A0C6E668B20BAEB1884ED604A2A4FCFCFBE0DEBECE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1708-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BD19E49D916D88533E78B81789BA66,SHA256=D74FAC43B37B025B786DF25DE84ECC64D2EBCD0734047B7D89A815E1F7782711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:23.062{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4302MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570E68AA5436B08BEDF87A123B4D50B4,SHA256=76A54778D5DE6EABAE2986B6B0F9A22711D1B93B8EA6B98C1CA5E3F2B50BF3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:24.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F8D2B47D345DCCE581E7A392346B09,SHA256=705ADA9B313A926700F58F0D9CE970863F2AAC9B5C229C6D3E20AF7D55400ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.650{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:20.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59317-false10.0.1.12-8000- 23542300x8000000000000000977656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:24.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE2B22AC76BBEBE52798ECED468DBDE,SHA256=A35CD162A47A40A8D4C7A42DB02E2A0F287978FC18F40C2068E4AAEAB7F6D143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.077{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:25.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C6E270D9FDDB297E69C56AAA25C67,SHA256=77FEC44681C226F6623A441B5E7208D84092E8D7A6ED5A0E80942E8C9E9F3345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785B9D9901C902C28B4FA0085A0D272F,SHA256=E2868D8D958DB8D56DD7816A6C38315D26746318A223B7CE3413C2F0E215CC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.925{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1DA01ED762A6D02895D98A071A78C1,SHA256=6C703739D323D948113622077F60F479075D01D41116942B145BC6535FB75D8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:25.076{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:26.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848050448DD18B4C13A2F38613A06DAE,SHA256=D494E7AC353CB4471D930649FFBABF20DF6139AE272820E5B3DE26576AF03EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.861{69CF5F33-8992-6151-9E79-00000000FD01}36922908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.628{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000977677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.205{69CF5F33-8991-6151-9D79-00000000FD01}24084016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4C9666279DEC8D3F3CA93D21E848EF,SHA256=C5B014292CBA58877B7851D4C9A9B9508536659FCFABF620BF711F06E5D05855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D87559581D41E038B9AC107184C4A10,SHA256=0F400BA6B8C9CABDFB4EF725AB8ECCF06BD04466584C9B7CE34F3BC4B9C03BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFA3422FE9BFB24D5354F0259AA48B5,SHA256=58270822F5FFA30C28EFF7DC23DE72D5E5FB63BA83CF2B7A9BB0E40B6B4C2A58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.300{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.739{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.315{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A3555579FFDBA9031A4DF0BA42180D,SHA256=F2572F21F2E844E7B0EF5FE99213D03498180CC88C375B9CE754532D5FCECBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.040{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BF5C2FF787B9F642223D5B3C72FD46,SHA256=E705458558296D1DF0EA11D88E7D89E8063FF889E35E40560FC9A6C812A129E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39D8515ED32D06A1DA8A6CB2E786EAD3,SHA256=1EA78AF05D5A2B32016E57524C6ED280A8EBCAAD24CFE27A391DF236C8989387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:28.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7311438505DD007471C0C090DE74BE5,SHA256=1139EA1EEFEF03739B7FC49F102D6BE1F9371BFBC0D993B5E42C8D2411BE5093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A36F073D4DA0C27D7D3747BEB5D3816,SHA256=0EAE25B93C6D54AF036B9A7D88C184665CED98B77DA21F7B60C678A649CB93B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.674{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B669D8F615634205ED229B114F857E,SHA256=2EC55E5230DFCF946FCB2890334FDFCADBD0C38B9FE8DA20C5B468BA575B7ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.174{69CF5F33-8993-6151-A079-00000000FD01}23602276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.987{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:29.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38545C711ACCF25C5B5A86F9C2D17D90,SHA256=2A11164D6F97FA9EFBEC7709C018B795F94ACFA6DED54DA62B0CE615862BB7A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.580{69CF5F33-8995-6151-A279-00000000FD01}24841888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CA2B257738FB8008CAAF6EC13B0785,SHA256=56FE091F200049184EA7C4355D2671A9B3BB3BB76AD2517F6A3BB4FBAE6E8AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.393{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-62304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.363{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:28.530{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.521{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BF5C2FF787B9F642223D5B3C72FD46,SHA256=E705458558296D1DF0EA11D88E7D89E8063FF889E35E40560FC9A6C812A129E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.490{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FC1E0783BAADAA6B62957B5F7A0399,SHA256=C5916C5C0E659DEA5669AAE08E477280FD4075B4B41F05ED6AB7015753F43544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E635BCDBEFE9EF2E9EE70C3516CD15,SHA256=45E5DD990C5FDF2E578F7899A63D4B8820AE0F7638EE6EF5ABD58BA3FF8D6623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.838{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.791{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.771{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59318-false10.0.1.12-8000- 23542300x8000000000000000977755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BD46A3A5B090B216CEC1D23B781DAF,SHA256=7F8A554622E3EA806B155A99C92A58189104FE4992157A176E95A64A8C59EF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:31.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30A723D826F97579FE82F130574331B6,SHA256=5CDBAB10B1269ABB5257A7C8F9A8A78FC2F534847E2D5F7624824465AAE66E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:31.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6066AD699E1E72C2646746D2153AE62,SHA256=D01BD822C236926B03C5D9DB376008473BF9F0E5DCDC4C63EEC93F68B4E94894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:31.491{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18954C72847533ABAE8FDFE1B6E1655,SHA256=1722B7B516A2ADF53ED99B030B3427EC25164B104D6CA055B6434C74285519B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE295AB57FF70467D8FB968EEE7736E,SHA256=B96D96124C7580E8A971A9D15D07B4C14487E7B799D279A0E0065D295B6A6344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.776{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9575C6627D8679D0D1B15BF995F98085,SHA256=81CB566A1E58B611A843ABD0727E8B8BE53D51CCD3E56181F5D051D053BE4A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:31.168{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.492{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22708D8BDEB7029BE2F861403D112F60,SHA256=CAB3211A15A640A82CE54581C4E66A16622E9714A1FDECEBB9A54A24A1FD1D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.502{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=955D06F2B5D4A12401C4847CE510E392,SHA256=CB4E4C1F6405555492BE969345C4A89241FD460B7E2CD873CD46D2E13E48917A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.191{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1F25F3ADBACF937FCB431353440509,SHA256=103DBEE63C3F86E1572EAFF2432DC913384969346E76F81F21128D670F8321B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:33.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0236D501CEAB14921969B4746F9DC21,SHA256=3F755FC367CC76D77882778B24CF6588F4CCCC08C70683E515718D54068AD9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7337-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:34.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE5A2060B36EDACFCB6B6AFA7CCDD14,SHA256=191C748B6C6753B124337FCE5C8129858E37BD688FDA13B7A5B4B6C26EF436A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:34.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727CE1E2C015350F24FAFEB9BD04AB09,SHA256=C44101B1BF8F8D15768B04CE2B32EEFBA9716A80CE5C9B1271E1B0C9A5534595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:34.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08A07B33DB14BE5E1C2EB80011B5250,SHA256=7ACC03EDB6E10662F5569B8B397DA83F4E55CF57AE43DF917DEE1038B3819E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.558{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E00B6232585007D224FBAE219FB8753,SHA256=C6925905D371A59DDA140DACA601B62FB3B70AA74B70F2AE74ED691DAC148AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.558{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.016{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.725{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59319-false10.0.1.12-8000- 23542300x80000000000000001049099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794133974207DA2CCC62E435DF619101,SHA256=CD0B37C00DE9D3A2A56E1B365F247065CB80CF8B6339848EF3794FD3721F7244,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3397E2C60F2CF211A05E15BB57B1F38B,SHA256=2A78B63E5746AAE4E568E30D415415577E9C1FA848430D8C0D67FD318DBA8FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31D1CF3ABFC4863E06AB11CB8AAFDD7,SHA256=E97D9B48318D33B382CE8867545B76866A3587A2948F3846BEBFC544ABCA989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.508{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.184{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001049101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.929{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16798D3EEC180E0F775DDA5EA74E47C,SHA256=90780CD5CAC33CF175D9561EC79DB222FE37C4308B7985A0B82C9FEB621C9D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.628{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656FAF2C2A9E432A2E4AC21C1B162338,SHA256=BC9FDAE6CB43197CD58840866267000E50E79B9C34A2738D800F31B57CB99D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.742{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:38.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AAC38B21BDB0573EEA5373091C1A1B,SHA256=395C24EB0F2FB5A9B7330AFDCC854825D18AB604A4B512B019EA330590868A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:35.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:38.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1644C75D546E2C711996A17543F4C7FC,SHA256=FEA65477B4C9B50890B6B3A61CFCEF12D5DBD53A822FB1E0DDDED23951EF4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:38.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A0C2150EE36ADD4D4866A1084CC1C,SHA256=7327976E220702FB42C55B9679BF36FB7B9DE5E67F921665C7C1B05FF6EB5E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.936{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64460- 354300x80000000000000001049109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.711{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E0B2B34496AE32BF1C49DFBD4FA90F,SHA256=54574A880CEBF8A46671F75446FB1C204F84D3981E42B0F4B9512CE3A9203C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:39.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD801088B11B5B19D11692A89422C5F,SHA256=2CBD3C3ADAC490CD73F2B681F32D7E6B4AD0E4C82FA7420143DB8FF6AE8CAF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.238{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5B0007F78715CA51C089F5567C15B7A,SHA256=DF91845C65FE38D3F7D81C1A7A6AF9FB59EF64356C21C7E284FECCDB2EE54C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E530C1ABC4457B7597B2600310183F38,SHA256=6CB8B594D40AE8D747FBA5AABD388C6690033EF9240EC267E94AB4099788951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F6EB7A1C0A2D608BF4559D5043D797,SHA256=22961EDC623CA8E1863C7D0081D023E83EC0DFFF6675C228441766532B13C187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:40.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886DBCDB9F475FB1E99B13B4788B8B50,SHA256=482216900DE3DD7961513A681280433D10B3998A7116B3E3D8749032F565218F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:40.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE83605ECBCDAEAD09E3B7F88B56682,SHA256=75EAE4366ED5CA0FA42A48AD9BEF512343A39E1E0C7562C3B95E8B41A7996B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:40.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A4049463B9AA4D04833F0F8405E7221,SHA256=F2386A47A3B21E8C39BFE58ACB751DD96D1F4918139F6C42F915833904C3290E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:41.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06F63327BDC13BA71DFE7BD7C53B959,SHA256=0E9E0AB26F380A1D51472C6C0001E455C0B75A0277C458DC0A7FB041DB05AF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:41.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9BD7D36AC783993FDC7162D3FFEFA1,SHA256=293B62E7764E8BEBA4DEE8F87DE499AA56C38A5315601FB513475EBE16CAEFD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.549{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:42.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318BCFEF78F473159330895485F42F97,SHA256=80755E3A3321E2475B3D5E441E227D95D36BE9660498D7FD5B927CF2CA64828D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59320-false10.0.1.12-8000- 23542300x8000000000000000977796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:42.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA63D0CFFEBA945B812F1947078875D,SHA256=89D0FAB16FBFEDA8C6C7CB3F3E20ED065D512D1B5CF19C11A5B00B70A34E28B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.787{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:43.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C513B42936914EE187B1801AB4D993,SHA256=8A88F2B82AFBA931283C10ECE02B2BD971A9F6D95BC0000A290322BBCA8285B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:43.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7266DC0499DD9ECE6F6712CB01EB7CE0,SHA256=316554A8E26174603537987831DBDD406D4C043D8A8C2FD9B8F0881FB025AA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:43.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E530C1ABC4457B7597B2600310183F38,SHA256=6CB8B594D40AE8D747FBA5AABD388C6690033EF9240EC267E94AB4099788951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.802{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEBFD85BB7A085D9F640A196664AAD8,SHA256=D2112CD4AE328D18C41F2F95C081518D970AEE6E905D7F13A28FB3D0258C406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:44.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C305E8860C0454BEB808F10BE7B25EF,SHA256=C90551BAB6623B3E4C26007A82955BB50B1433798A75895877ACA047DD07E786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.588{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:42.364{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:41.879{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8414EB1DE08228D38B9A3EAA34EF9F71,SHA256=D236BF47BB0D8A15421F95CF6EA1B753ED3E89B29F93C73F4F92C1AC91179A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.820{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D283B1600D472BF386E37A20748CA15,SHA256=4BBE04B42C7BB346E7ACBE38D17728714E99A40792A74E8E7C34F5ABEDF1516A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:45.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D11C5F04372AC0CE880A0E802BB3F56,SHA256=D2D5D5A315690DC2EBCB5AA731A6239709D6C1DDAA741C58906F177B38DFABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EED3EB570FDF81E3BC15E902D615C9,SHA256=DD134263D375EE9E09AD7AA1C6221828F4A099A96AD3707EF744E169EFB5000C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.273{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73042DA0E87975443437C2B0C7F89F9,SHA256=C794B82F8B9860E9FB3F5FA8D0AB526487D9EBAB5BA26E939A139EA45665C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.818{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A228345688AE58E3379E65A48A3F23B,SHA256=D0A175E408C7956945D4EC84D7B4462C114E86874D36DFB9130DE67AC1FE2AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:43.650{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59321-false10.0.1.12-8000- 23542300x8000000000000000977801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:46.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AAEE3CBF560AF2D2EFDE3002EBC45F,SHA256=4C603C28583A33AC754A0F9CA891B92772AF82E3BC6BDA7FE2E5954E03B9E315,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.003{5EBD8912-89A5-6151-117A-00000000FC01}41124248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A41EF035C1B909F25E71B569A09CB13F,SHA256=355EAAD9A379473A95F5488F64866C4FAE1125D60AF80003B11B47DD244DB85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21B72A4FD1F33AD730CA0C33FAEEA2,SHA256=C66419A84C9E94683839251F77DED8776B23E42C111604091E8B965593406B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:47.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2BC73821A7EE058FFD218D2297634,SHA256=64593EDB4C36BEB9CAC877D4AA804F83B4115DBAF7C4B3C4DC71C7F66906C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:48.886{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0203BB1260FEB68756AAA7876E5C463C,SHA256=C9E68679272348C0BD0B10A79632E96447D497CF4877D913D73A9CD584E7882D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607BB67A3DD36E29F72BC30ECFDC2AAF,SHA256=525714E603EC5558B0C4957EBFBCC53ECD6AD12ECB97ED949D8AB6D7E4972BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F659E372F09248E3ABAB68D2B4F2CF8,SHA256=BC5E0C4723FA9F1075531E67D585237E653C1E3657540EA23FB074B5B85476A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A792BE9BE0C7CDBEA8A0F44FF624B1DE,SHA256=DB7434C771B537341630348CB46780F0672C0EA6E02ABCEB545A7772B3D21AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:49.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E2D2F5A05FF28A2954000C4D8DD74,SHA256=2AE75883CC2C6CAD82879E9F76061A5349AEE9BBEE2545A8B0DBD7033DA18920,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:45.561{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58177-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:49.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A0890DEEBA423B2C76F2B363145296,SHA256=42EC5EC694AC0FB5089F76BECF690DC3FB72388497BDE35369DEC6407C6BA415,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.825{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:50.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E14C02483F71B77526E0E915FB9EDA,SHA256=BB0BB77F760E03AED863A33EFDF7357D80D3953B2A2BBAA4534984BB5F0FB631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:46.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:50.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B856933B359A8ED54361492126D08CBF,SHA256=FD69045B709D354662E31DE46415D9058EA89BBC868B8A4158F7B9AC3E3E1146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:50.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F659E372F09248E3ABAB68D2B4F2CF8,SHA256=BC5E0C4723FA9F1075531E67D585237E653C1E3657540EA23FB074B5B85476A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59322-false10.0.1.12-8000- 23542300x8000000000000000977812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:51.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C252BF88B1131089404260F19CE926,SHA256=842E9804732585F69A1CE7857428CBBF7A820F305C8E860FF624581A7ED67F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:49.903{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:52.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5EDFEBE5D0BB2CEFC08F87B7BD4224C,SHA256=9CB87B6B63E4E3282B94FD8E794D6E13DC15D7B886A4536B890D3B67BDD4C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:52.411{69CF5F33-7F3A-614D-7000